[Zope] Why I must set security-property "Access contents information" to get Data from Database?

Dieter Maurer dieter at handshake.de
Thu Feb 10 13:39:15 EST 2005


Chris Withers wrote at 2005-2-10 10:31 +0000:
>Patrick Ulmer wrote:
>> But if I only have a DTML-Document without <dtml-in> only the security 
>> property DTML-Cokument.View is necessary. Is that correct?
>
>No, you need to actually be able to get to your dtml document in the 
>first place. That means the user must somehow get the "Access contents 
>information" permission on its container, and its container's container, 
>and so on, up to the root of your Zope instance...

This would be the case, would ZPublisher use the standard traversal
procedure.
But, it fact, it does not do that. Instead, it traverses to
the URL addressed target disregarding any security restrictions,
determines which roles the target needs and than looks up again
for a user folder that can authenticate a user with the necessary
roles.

Thus, the ZPublisher allows you to access objects despite the fact
that you cannot access all ancestors of such an object.

-- 
Dieter


More information about the Zope mailing list