Dieter Maurer schrieb: > > Andre Schubert writes: > > i have a little security problem. > > let me explain. > > > > root/ > > index_html > > foo/ > > acl_users/ > > bar/ > > Image > > > > I have a image which could only be view by users with a role named > > foobar, these users are in acl_users. > > If i access the image through the web a must authenticate myself for the > > first time, after that everything works well. > > But if i want to access the Image via <dtml-var Image> from the > > index_html in the root-folder a got no access. > I expect, you get hit by a (in my view stupid) security feature: > > When you are not authorized to access an object, then you > should not even see that it is there. > > This is achieved by turning "Unauthorized" exceptions into > "KeyError" exceptions under some circumstances. > > The effect is similar to what you describe (at least, if I > interpret "got no access" as a "NameError" or "KeyError" for > "Image"). > > If, however, you keep getting "Unauthorized" exceptions > (i.e. login requests), then the reason may be that your > initial request did not get authenticated by "foo/acl_users" > but by a higher level "acl_users" that does not assign > the correct role to the user. > This is exactly what i want. I want a user wich has to login with foo/acl_users. And this user should be allowed to view the Image trough dtml. Have i missunderstand restrictedTraverse, which says that a object will be accessed by traversing a path and checking permissions for each object.
as > Dieter > > _______________________________________________ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )