Hi, I've got a container, all of my users have 'zope.ManageContent' permission in. A subobject of the container is sensitive - users must not be able to change this object which means, I've to take away 'zope.ManageContent' permission from all my users (except of one!) whenever context=subobject .
I tried using security-annotations which worked fine for single users: ('user-xy','zope.ManageContent',Deny) ('user-owner','zope.ManageContent',Allow) However, this is rather impractical for 1000+ users - so I tried: ('zope.Everybody','zope.ManageContent',Deny) ('user-owner','zope.ManageContent',Allow) - didn't work :-( . The greater picture: I need a "Sticky-Bit"-Container. Users with 'zope.ManageContent' permission should be allowed to create (certain kind of) objects, which will be automatically security (role-)annotated (principal.id,'mpgsite.Owner',Allow). The 'mpgsite.Owner' role implies some permissions - incl. 'zope.ManageContent'. Unfortunately, 'zope.ManageContent' is inherited from the container - granting editing rights to everyone. Did I miss anything or is it impossible to "de-assign" a permission based on roles/groups? Regards, Frank _______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users