[Zope] Urgent: acquisition and permissions question.

Dieter Maurer dieter@handshake.de
Tue, 19 Sep 2000 00:05:56 +0200 (CEST)

Gilles Lavaux writes:
 > Maybe the answer is easy, but I can not find the solution:(and maybe I was
 > completly wrong about permissions)
 > I have a folder containing SQLs and methods:
 > /project
 > and a subfolder who has his access and view security setting disable for
 > anonymous:
 > /project/protected
 > When anonymous access /project/index_html  he see the page : that's good.
 > 1)When anonymous access /project/protected/index_html he also see the page.
 >  Is it normal?? ( the index_html is of course only inside the /project )
 > 2)If anonymous access /project/protected/some_method_with_sql and the result
 > is empty, he see the result page!That's strange.
 >    But if the result is not empty, he get the authentication box : that's
 > good.
 > It's zope2.2.1
The security system does not use the full acquisition context but
only the containment. This is a security feature to prevent
a user with partial management rights in a subfolder to
affect permissions for objects outside its area.

I think (am not sure!) that in your case, the "protected" context
is not used as your objects are in fact outside "protected".