[Zope] Folder and SQL security

[Chris McDonough]

On Tue, 5 Sep 2000, George Osvald wrote:

> My sql works now and security is satisfactory so thank you. The only thing
> that remains in question is that one subfolder. I created a user folder
> inside, set all the security and it does not do what I want. I want to
> restrict any access including viewing for nobody. Only authorised customers
> would be able to view the page. After turning off all the security options
> though I am still able to view the pages as nobody. How do I prevent that?

Do you have "acquire permissions" set on all the permissions of the
folder?  Have you tried turning it off?

This may be a wild goose chase because I'm sort of guessing at your
problem.   Your message has generalizations like "that one subfolder"
(what subfolder?  what are its settings?), "set all the security"
(how?), "does not do what I want" (what do you want?  exactly how
does it fail, can you give a concrete example?) and "the page" (what
page?).  It'd be helpful to define these, because as much as I try, I
can't read minds.  :-)

HTH,

C

> >
> > George wrote:
> > >
> > > Security in ZOPE is very puzzling. If I have certain rules set for the
> > > root folder, can I set something different for the sub folders?
> >
> > Sure... for general security information see both
> > http://www.zope.org/Members/michel/ZB (the Zope book security chapter,
> > mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security
> > chapter mostly finished).
> >
> > > Any
> > > changes seem to have no effect at all.
> >
> > can you be more specific?
> >
> > > I am especially wandering about
> > > setting for anonymous user. I'd like to give them only 'viewing'
> > > privilege but that does not work.
> >
> > How doesn't it work?
> >
> > > The site is not functional at all and
> > > asks for the password even for the viewing. Then I enable 'access the
> > > content' and the site works as long as I do not try to use sql.
> >
> > Yes, "access contents information" is equivalent to allowing the user to
> > list the objects in an object manager.  It's given to anonymous by
> > default most of the time, and is probably required for most operations.
> >
> > > When I
> > > how ever enable 'use sql methods' permission they can access my
> > > database, delete and add entries to it.
> >
> > This should have nothing to do with 'access contents information'.
> > There should be permissions available to restrict the use of sql
> > methods.  Have you seen them?
> >
> > > What do I have to do to allow
> > > anonymous viewers to just view the site
> >
> > Give them "view" and "access contents information" permissions.
> > Depending on the products you've got installed and the operations you
> > want the users to be able to carry out, you may need to give them other
> > permissions.
> >
> > > (keep in mind that I am using a
> > > couple of zsql methods for embedding of data in my html) I also want to
> > > have one of the sub folders not accessible to any one but me.
> > > Can you help anyone?
> > >

Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org