[Zope3-dev] Traversal permission vs read permission
Garrett Smith
garrett at mojave-corp.com
Mon Jun 20 14:04:23 EDT 2005
I'd like to be able to grant permission to traverse a folder, but not
permission to view folder contents.
This could be handled in Zope by making
container.traversal.ItemTraverser a trusted adapter and protecting it
with a zope.Traverse permission.
I suspect this problem has been discussed before given Zope's maturity
-- and there must be a good reason this isn't done.
The obvious work around is to grant zope.View for the traversable folder
and then to take great pains to deny zope.View for every innaccessible
object in that folder. But having done this, I can say it's very likely
that an admin will forget this, leaving part of a site wide open to
unauthorized reads.
Any thoughts on this? What are the problems with the the zope.Traverse
idea?
-- Garrett
More information about the Zope3-dev
mailing list