[Zope] Folder and SQL security

Chris McDonough chrism@digicool.com
Sun, 03 Sep 2000 14:49:54 -0400 

George wrote:
> 
> Security in ZOPE is very puzzling. If I have certain rules set for the
> root folder, can I set something different for the sub folders?

Sure... for general security information see both
http://www.zope.org/Members/michel/ZB (the Zope book security chapter,
mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security
chapter mostly finished).

> Any
> changes seem to have no effect at all.

can you be more specific?

> I am especially wandering about
> setting for anonymous user. I'd like to give them only 'viewing'
> privilege but that does not work. 

How doesn't it work?

> The site is not functional at all and
> asks for the password even for the viewing. Then I enable 'access the
> content' and the site works as long as I do not try to use sql.

Yes, "access contents information" is equivalent to allowing the user to
list the objects in an object manager.  It's given to anonymous by
default most of the time, and is probably required for most operations.

> When I
> how ever enable 'use sql methods' permission they can access my
> database, delete and add entries to it.

This should have nothing to do with 'access contents information'. 
There should be permissions available to restrict the use of sql
methods.  Have you seen them?

> What do I have to do to allow
> anonymous viewers to just view the site

Give them "view" and "access contents information" permissions. 
Depending on the products you've got installed and the operations you
want the users to be able to carry out, you may need to give them other
permissions.

> (keep in mind that I am using a
> couple of zsql methods for embedding of data in my html) I also want to
> have one of the sub folders not accessible to any one but me.
> Can you help anyone?
> 
> Regards,
> George
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )