[Zope] Newbie question : ZopeTime & permissions
Dieter Maurer
dieter@handshake.de
Tue, 10 Oct 2000 20:19:14 +0200 (CEST)
Aaron Straup Cope writes:
> I did not want to allow the Anonymous role *any* permissions, and the
> site I am working in is contained in a folder beneath the root Zope
> folder.
>
> The problem was that I had disabled the "Access contents
> information" privilege for the Anonymous user (whose permissions I forgot
> are inherited by all other users) at the root level, thus preventing Joe
> User from being able to access internals(?) like
> ZopeTime even if [it] had permissions at a sub-directory level.
Sorry, I was wrong, at least partially!
The fact, that "ZopeTime" returns an unprotected DateTime object,
does of cause not mean that "ZopeTime" itself is unprotected.
After your message, I reexamined your problem:
* "ZopeTime" is defined in "OFS.Application.Application",
i.e. the top level application object.
* "ZopeTime" apparently is not protected by an explicit
permission (neither mentioned in an "__ac_permissions__"
nor is there a "ZopeTime__roles__" attribute nor
is there a new SecurityManager assertion about
"ZopeTime".
As I understand Zope 2.2 security, this should mean
"ZopeTime" is inaccessible from DTML.
* However, magically, "ZopeTime" is protected by "Access Contents
Information".
I can not tell you why.
Both is astonishable:
* that it is accessible by DTML at all
* why "Access Contents Information" is required.
Apparently, the Zope security still has some hidden magic.
Dieter