On Thu, 12 Apr 2001, Tim McLaughlin wrote:
> Ok, so imagine a DTML method has an owner, and as the docs say the method
> can do no more than the authenticated user and the owner's permissions
> combined.  So, now delete the owner.

No, it is the *intersection* of the two ownership sets, not the union

> The DTML method will no longer be functional, since the owner does not
> exist, and has no permissions.  I found this to be true with ZClass

Not quite.  It will execute as if it were owned by nobody (the anonymous
user).  So it has very minimal privileges.

> constructors at least.  I believe that the method should take the
> permissions of the authenticated_user only in this scenario, but it does
> not.

Like I said (and the docs say), it is the interesection of the two
sets of privileges, so it is effectively just the permissions of
user nobody.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to