[Zope] Basic Security question

Jonathan Hobbs hobbs at magma.ca
Thu May 27 14:20:35 EDT 2004

Thanks for the response Dieter...

> Jonathan Hobbs wrote at 2004-5-27 11:09 -0400:
> >I thought I understood permissions and roles, but...
> >
> >I have a folder ('Data') with the 'View' security role set to
> >'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
> >
> >When, as an 'anonymous' user,  I try to access an object within the
> >folder the security popup window (enter your name/password) is displayed.
> >This works as I expected it to.
> >
> >I have created a dtml method called 'Display'.  This test routine is
> >hardcoded to display an object from the 'Data' folder.  I have set the
> >role for the Display method to "Authenticated".  When, as an 'anonymous'
> >user, I access the 'Display' method the security popup window appears?!
> >Shouldn't the Proxy role assigned to the dtml method enable access to the
> >object in the folder?
> What is the owner of this "DMTL Method"?
> It can at most do what its owner is allowed to do.

The dtml method ('Display') is owned by 'admin' (from acl_users).  The
folder ('Data') is also owned by 'admin'.

I have already tried to set the Proxy role of the dtml method to 'Owner' and
the 'View' permission setting of the folder to 'Owner', with no luck (still
get the security popup window).

> BTW, "VerboseSecurity" can help you to analyse difficult
> security problems. Use the CVS version (once Zope's CVS starts
> to work again).

We are running Zope 2.6.1, so I will try the VerboseSecurity product -
thanks for the tip!


More information about the Zope mailing list