[Zope-dev] Help on Zope security needed ...

Joachim Werner joe@iuveno-net.de
Wed, 1 Aug 2001 12:56:20 +0200


Hi!

I am trying to get into understanding the Zope security machinery (Zope
2.4), and it seems to not quite do things as expected:

I have a Folder hierarchy like this:

ROOT
  --FOLDER


- In ROOT I have a method "title" and the "index_html" method
- I have a user "Charly" that has ther role "TitleViewer" in a user folder
in FOLDER
- the method "title" has View permissions linked to "TitleViewer" and
"Manager"
- the "index_html" method contains a string "<dtml-var title missing>"

Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly".

I would expect to see the title now, but I don't. If I remove the "missing"
from the <dtml-var title>, I will get a key error for "title".

The funny thing is: http://.../ROOT/FOLDER/title will work fine ...

Also, if the user is in the ROOT folder, everything works fine. But then I
can't really do what I want, i.e. restrict permissions to the FOLDER folder
...

What is wrong there? I don't have a clue what Zope protects why and how. I
always thought I knew about Zope security. But as soon as I add local roles
or local user folders, things become very strange.

I mean, if the idea is that the user must have the "TitleViewer" role in
ROOT to see title, then http://.../ROOT/FOLDER/title should not work (but it
does). But if the idea is that objects are acquired first and then user
roles are checked against them, http://.../ROOT/FOLDER/index_html should
display the title stuff (but it does not).

Cheers

Joachim