Dieter Maurer schrieb:
> Andre Schubert writes:
> > i have a little security problem.
> > let me explain.
> > root/
> > index_html
> > foo/
> > acl_users/
> > bar/
> > Image
> > I have a image which could only be view by users with a role named
> > foobar, these users are in acl_users.
> > If i access the image through the web a must authenticate myself for the
> > first time, after that everything works well.
> > But if i want to access the Image via <dtml-var Image> from the
> > index_html in the root-folder a got no access.
> I expect, you get hit by a (in my view stupid) security feature:
> When you are not authorized to access an object, then you
> should not even see that it is there.
> This is achieved by turning "Unauthorized" exceptions into
> "KeyError" exceptions under some circumstances.
> The effect is similar to what you describe (at least, if I
> interpret "got no access" as a "NameError" or "KeyError" for
> If, however, you keep getting "Unauthorized" exceptions
> (i.e. login requests), then the reason may be that your
> initial request did not get authenticated by "foo/acl_users"
> but by a higher level "acl_users" that does not assign
> the correct role to the user.
This is exactly what i want. I want a user wich has to login with
And this user should be allowed to view the Image trough dtml.
Have i missunderstand restrictedTraverse, which says that a object will
be accessed by traversing
a path and checking permissions for each object.
> Zope-Dev maillist - [EMAIL PROTECTED]
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope )
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -