[Zope] limiting view access to acl_users

David bluepaul at earthlink.net
Fri Feb 24 14:54:40 EST 2006


gf wrote:

>On 2/24/06, David <bluepaul at earthlink.net> wrote:
>  
>
>>gf wrote:
>>
>>    
>>
>>>Hi,
>>>I am relatively new to Zope and have a question regarding acl_user folders.
>>>
>>>I am trying to prevent 'view' access to an acl_users folder that I
>>>have created in a non-root area of my website.
>>>
>>>I have used the management interface Security tab to uncheck the
>>>'Acquire permission settings' for the 'View' Permission and have
>>>enabled View for the Manager role only.
>>>
>>>I have taken the same actions for my root acl_users folder as well.
>>>
>>>When I browse to http://mysite/myfolder/acl_users, I am presented with
>>>a view of the index_html file contained within myfolder, with the
>>><dtml-var title_or_id> 'output' indicating that it is 'User Folder'.
>>>
>>>Why is acl_users making use of the container's index_html? Is there a
>>>way to limit even View access to this folder?
>>>
>>>Thanks.
>>>
>>>-g
>>>
>>>
>>>      
>>>
>>gf,
>>
>>Thats normal zope acquisition.  When you access a folder with no
>>viewable object it goes *up* in search of something to acquire and
>>index_html is implied.  Authorization occurs when something is about to
>>be published or accessed - not just typed in a URL.
>>
>>David
>>
>>
>>    
>>
>
>Hi David,
>I appreciate the clear explanation. That certainly makes sense.
>Does that mean, then, that it is not really possible to limit view
>access like I want without some 'extraordinary' measures? Is it
>possible to have this particular folder type acquire some other object
>instead of index_html? I suppose if I could redirect to another folder
>that would be sufficient.
>
>Thanks.
>
>-g
>
>  
>
gf,

So far you haven't described how they "view" acl_users.  Which is what I 
thought was your concern..  They are viewing the first (authenticated) 
viewable object which is one level above.

Maybe you can better define your security concerns.  What don't you want 
users to see?

David

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060224/1f56bdd5/attachment.htm


More information about the Zope mailing list