I too have a doubt about security stuff.
It so happens that I have this setup
i have an user X in root folder. Roles are so that anonymous doesn't
have permission for anything. Then, there is a user role, that
is allowed some stuff, and i assign local role of User to X into Inheritedstuff.
He now can see index_html. I proxy-role index_html to the User role
so i can dtml-var somestuff> that is into myfolderobjects, being
somestuff a DTMLmethod.
It works. X can access index_html which in turn includes somestuff
from its parent folder, and I did not have to give him explicit rights
to any of the objects into myfolderobjects
BUT, if I try to dtmlvar somesqlmethod>, it won't work. Note
that the User role does have permission to run SQL methods.
That's in my point of view, a mistake in Zope's security policy.
If i proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.
Please help or tip. Thanks =)
Seb Bacon wrote:
Does Zope security provide a way of restricting what
objects are listed to
an authenticated user inside the Zope 'manage' interface? I'm
head all twisted up over this security / proxy roles /local roles lark.
Zope maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -
Manuel Amador (Rudd-O)