Aaron Straup Cope writes:
 > I did not want to allow the Anonymous role *any* permissions, and the
 > site I am working in is contained in a folder beneath the root Zope
 > folder. 
 > The problem was that I had disabled the "Access contents
 > information" privilege for the Anonymous user (whose permissions I forgot
 > are inherited by all other users) at the root level, thus preventing Joe
 > User from being able to access internals(?) like
 > ZopeTime even if [it] had permissions at a sub-directory level.
Sorry, I was wrong, at least partially!

The fact, that "ZopeTime" returns an unprotected DateTime object,
does of cause not mean that "ZopeTime" itself is unprotected.

After your message, I reexamined your problem:

 * "ZopeTime" is defined in "OFS.Application.Application",
   i.e. the top level application object.

 * "ZopeTime" apparently is not protected by an explicit
   permission (neither mentioned in an "__ac_permissions__"
   nor is there a "ZopeTime__roles__" attribute nor
   is there a new SecurityManager assertion about

   As I understand Zope 2.2 security, this should mean
   "ZopeTime" is inaccessible from DTML.
 * However, magically, "ZopeTime" is protected by "Access Contents

I can not tell you why.
Both is astonishable:
  * that it is accessible by DTML at all
  * why "Access Contents Information" is required.

Apparently, the Zope security still has some hidden magic.


Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to