I too have a doubt about security stuff.

It so happens that I have this setup

+   myfolderobjects
      +    inheritedstuff

i have an user X in root folder.  Roles are so that anonymous doesn't have permission for anything.   Then, there is a user role, that is allowed some stuff, and i assign local role of User to X into Inheritedstuff.  He now can see index_html.  I proxy-role index_html to the User role
so i can <dtml-var somestuff> that is into myfolderobjects, being somestuff a DTMLmethod.

It works.  X can access index_html which in turn includes somestuff from its parent folder, and I did not have to give him explicit rights to any of the objects into myfolderobjects

BUT, if I try to <dtmlvar somesqlmethod>, it won't work.  Note that the User role does have permission to run SQL methods.

That's in my point of view, a mistake in Zope's security policy.  If i proxy-role a document or method, i should be able to acquire anything specified into it, from its parent hierarchy.

Please help or tip.  Thanks =)

Seb Bacon wrote:

Does Zope security provide a way of restricting what objects are listed to
an authenticated user inside the Zope 'manage' interface?  I'm getting my
head all twisted up over this security / proxy roles /local roles lark.

Thanks, seb

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-dev )

Manuel Amador (Rudd-O)

Reply via email to