[Zope] Basic Security question

Dieter Maurer dieter at handshake.de
Thu May 27 13:54:53 EDT 2004


Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
>I thought I understood permissions and roles, but...
>
>I have a folder ('Data') with the 'View' security role set to
>'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
>
>When, as an 'anonymous' user,  I try to access an object within the 'Data'
>folder the security popup window (enter your name/password) is displayed.
>This works as I expected it to.
>
>I have created a dtml method called 'Display'.  This test routine is
>hardcoded to display an object from the 'Data' folder.  I have set the Proxy
>role for the Display method to "Authenticated".  When, as an 'anonymous'
>user, I access the 'Display' method the security popup window appears?!
>Shouldn't the Proxy role assigned to the dtml method enable access to the
>object in the folder?

What is the owner of this "DMTL Method"?
It can at most do what its owner is allowed to do.

BTW, "VerboseSecurity" can help you to analyse difficult
security problems. Use the CVS version (once Zope's CVS starts
to work again).

-- 
Dieter



More information about the Zope mailing list