[Zope] Re: AW: Problems with jcNTUserFolder-0.0.4

Stuart 'Zen' Bishop zen@cs.rmit.edu.au
Sun, 2 Apr 2000 10:46:05 +1000 (EST)


On Sat, 1 Apr 2000, Jephte CLAIN wrote:

> I tested with a standard user folder, and this does not work either.
> this may be a bug??
> Let's sum up: the Anonymous role is revoked all rights from the top
> level, and a role 'User' is created with the same rights as Anonymous.
> In the toplevel, a user 'u' is given the role 'User'. In a sub folder,
> another user folder is created, and 'u' is given the roles 'Manager' and
> 'User'. When 'u' try to browse the subfolder, an exception is raised
> because he is unthorized to access standard_html_header (???)
> Note that if standard_html_header is copied in the subfolder, the error
> goes away.
> 
> This is very bizarre. Should I post this to the collector?

It looks like this is the way it is currently supposed to work. Even
though the users have the same name, they are not the same user object.
When you log into the subfolder, you are logged in as subfolder/acl_users/u.
This user has no rights outside of subfolder, and none can be granted.

So when you try to access subfolder/index_html, you are logged in
as subfolder/acl_users/u. Zope then tries to render index_html as this
user. When index_html tries to execute the <dtml-var standard_html_header>
tag, it will fail since the user we are attached as has no rights outside
of the subfolder tree.

And of course, if you point your browser to /standard_html_header, you
will be able to access it as you will be logging in as /acl_users/u which
does have the required rights.

One method of solving the originally posted problem is to have only
once acl_users folder at the root. The users who need higher rights in
the subfolders can be granted these rights by using local roles.

-- 
 ___
   //     Zen (alias Stuart Bishop)     Work: zen@cs.rmit.edu.au
  // E N  Senior Systems Alchemist      Play: zen@shangri-la.dropbear.id.au
 //__     Computer Science, RMIT 	 WWW: http://www.cs.rmit.edu.au/~zen