[Zope] Folder visibility

J. Cameron Cooper jccooper@rice.edu
Thu, 02 Aug 2001 16:10:08 -0500


>
>
>I have a folder 'Clients', that only managers can access. Under it I have
>folders for 'Client1', 'Client2' and so on.  The problem I have is
>when Client1 authenticates the get access to there folder, but if they
>change the URL they can access Client2's folder as well. I don't want that.
>
>I have my acl_users in the 'Clients' folder because I don't want to create
>a acl_users for each client since they only have 1 user each. But if I have
>to do this I will.
>
This seems to be exactly the scenario in the original "Folder 
visibility" post. If you give a user a role in a folder, it will have 
that role in all the contents of that folder. This work for both the 
acl_users definition and local roles. If you have all users in on user 
folder, and they all have the same roles, they will all be able to see 
the same thing.

Here's how:

o Figure out what role(s) your users will usually be. Probably 
'Anonymous' or 'Authenticated User'. Maybe something else.
o Disable their ability of your users to see anything in the area you 
want to restrict. This might be the root, or it might be a 'Clients' 
folder. (Be sure to turn off permissions acquisition.) Do this by 
turning off the necessary permissions in the restricted folder for the 
roles your users have by default.
o Create the users in that folder or one of its ancestors.
o Create a role at the level that you're restricting (maybe the root, 
maybe a 'Clients' folder) and give it permissions to see the things that 
you've restricted. We'll call it 'FolderViewer'.
o Then in each subfolder of the restricted folder (say 'Client1') go to 
the security tab, go into 'Local roles' and assign whomever gets access 
to this folder the 'FolderViewer' role. No more, no less.

The people you've granted the 'FolderViewer' role to locally in the 
subfolders will be able to see those folders and their children, no more.

        --jcc
      (again)