Thanks, your points about "Access contents information" vs "View"
enlightened me enough to fix my problems.
Florent
Stuart Bishop <[EMAIL PROTECTED]> wrote:
>
> On Sunday, May 12, 2002, at 01:27 AM, Florent Guillaume wrote:
>
> > With an object path /A/B/C where C has a local role allowing a user to
> > view C but where B disallows acquisition of the View permission, the
> > publisher correctly allows the user to see C.
> >
> > However restrictedTraverse('/A/B/C') fails ("You are not allowed to
> > access B in this context"). This is because restrictedTraverse checks
> > the security (using "validate") at *every* step, and obviously the
> > user is not allowed to see B. Is there a reason for this ? Why not
> > simply validate only at the last step ?
>
> Note that it doesn't check for the View permission though - it
> checks for the 'Access contents information' permission. If this
> fails, it fails because the site manager has explicitly said
> that a group of users is not allowed to access any objects below
> this point.
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
