[Zope] Need help with security and local roles w/ GRUF

Jake Latham jlatham at datasplice.com
Mon Jan 19 12:31:19 EST 2004 

Dieter -

thanks for the reply.

I was able to get the group thing working with just one additional
"GroupMember" role.  Basically, each GRUF group (Group_CustA, Group_CustB)
takes on a local role of "GroupMember" within their own directory, and in
that way, members of Group_CustA cannot get into the CustomerB/ folder,
since they are not members of Group_CustB.

However, there is an odd twist that I cannot figure out.

when the URL is:

http://blah.com/Customers/CustomerA/index_html

everything works fine.  However, when it is:

http://blah.com/Customers/CustomerA/

the insufficient privileges message comes up for any user, even owners and
managers.  When I set all of the permissions to "Acquire", everybody can
view the second URL just fine (which opens the index_html, as it should),
but then, of course, no permission control is in place against the various
customer folders.

What is the permission at work that prevents users from viewing the
index_html when the URL is in the second form?  I assume Zope does some kind
of forwarding from the directory to a default index document, but I cannot
figure out which permission it is.

As a workaround, I'm sure I can just make them link only to .../index_html,
but that seems a bit kluge-y.

Any help is appreciated...

-Jake

----- Original Message -----
From: "Dieter Maurer" <dieter at handshake.de>
To: "Jake Latham" <jlatham at datasplice.com>
Cc: <zope at zope.org>
Sent: Saturday, January 17, 2004 4:02 PM
Subject: Re: [Zope] Need help with security and local roles w/ GRUF
> Viewing is usually controlled by 2 permissions: "View" and
> "Access contents information". I expect, your customers should
> be able to do more than just view their own object...
>
>
> When you describe clearer what you did and in what way this did not
> work, we may help you better.



> Jake Latham wrote at 2004-1-16 13:45 -0700:
> > ...
> >We've got a Zope/Plone site where we want our customers to be able to log
> >in, and be taken to their directory:
> >
> >/Customers/
> >  CustomerA/
> >  CustomerB/
> >  ...
> >That much works fine.  The problem is that we need to set up permissions
so
> >that the customers can only see their own directory, i.e. CustomerA
cannot
> >go poking around in CustomerB's folder, were they to type in the correct
URL
> >(or by mistake)
> >
> >We've fiddled with various combinations of local roles and defining a new
> >role - "Customer" to try and limit permissions, but we can't get it to
work
> >quite right.  Perhaps we are not modifying the correct Permission? (We
had
> >been modifying the "view" permission).
>
> Viewing is usually controlled by 2 permissions: "View" and
> "Access contents information". I expect, your customers should
> be able to do more than just view their own object...
>
>
> When you describe clearer what you did and in what way this did not
> work, we may help you better.
>
> --
> Dieter

More information about the Zope mailing list