Gilles Lavaux writes:
> Maybe the answer is easy, but I can not find the solution:(and maybe I was
> completly wrong about permissions)
>
>
> I have a folder containing SQLs and methods:
> /project
> and a subfolder who has his access and view security setting disable for
> anonymous:
> /project/protected
>
> When anonymous access /project/index_html he see the page : that's good.
> 1)When anonymous access /project/protected/index_html he also see the page.
> Is it normal?? ( the index_html is of course only inside the /project )
>
> 2)If anonymous access /project/protected/some_method_with_sql and the result
> is empty, he see the result page!That's strange.
> But if the result is not empty, he get the authentication box : that's
> good.
>
> It's zope2.2.1
The security system does not use the full acquisition context but
only the containment. This is a security feature to prevent
a user with partial management rights in a subfolder to
affect permissions for objects outside its area.
I think (am not sure!) that in your case, the "protected" context
is not used as your objects are in fact outside "protected".
Dieter
_______________________________________________
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )