Zope 2.2.2 on linux I have a web site where almost every page can only be viewed by authenticated (non anymous) users. I want to create one page that anonymous viewers can see. But to create this page I want to reuse (not duplicate) existing dtml, so I gave this page a proxy role "PUBLIC" and gave that role view and access contents rights. Unfortunately dtml methods called by this dtml document lose their proxy rights and revert back to anonymous, hence I get NameError and so forth from the called dtml methods. 1. Why is it that proxy roles don't propogate and accumulate when methods are called? 2. I'm actually using simple ZSQL traversal, like this: mysite.com/MyFolder/MyZSQL/138348343/PublicInfo PublicInfo is the DTML Doc with proxy role = PUBLIC. MyZSQL is an SQL Method that doesn't appear to be viewable by anonymous. However when called using simple traversal shown above, the SQL method IS executed. Is this a security bug? It seems that anonyous users can "call" an sql method using traversal even if security disallows anonymous View. Brad Clements, [EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements _______________________________________________ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
