Hello, That's the second time I have this problem, I report it again because the answer I got the last time was not 'sure' (see bottom of mail) and I would like to have an 'definitive' explanation from some Zope guru. I hope my explanation will be clear: I have 3 folders for a project called 'sms': /sms/shtml which is accessible by anonymous /sms/shtml/stations which is not accessible by anonymous, only by 'operator' ans stations users /sms/admin which is accessible only by 'operator' user /sms/acl_users contains the 'operator' user with role 'sms_admin' /sms/shtml/stations/acl_users contains several station users (station1, staiton2.etc...) with role 'station' 1)'operator' user has permission to access /shtml/stations. operator authentication is forced by accessing a '/sms/admin/login' method. 2)a method 'check' is inside the '/sms/shtml' folder, this method (also) display the http authenticated user. My problem: I am logged in as 'operator'. Sometime, accessing '/sms/shtml/stations/check' show me: -Logged in as: Anonymous User and has role(s):Anonymous instead of: -Logged in as: operator and has role(s): sms_admin why???????? (this with IE and Netscape) I just have a guess: the 'operator' user is defined in '/sms/acl_users' and my stationx users are defined in '/sms/shtml/stations/acl_users'. So: is it possible that when I do my 'check' as operator, the acquisition go to the acl_users which contains the stationx users and miss the other acl_users folder (which is two levels above) ? Another investigation: I am logged as operator in a new browser and have the problem, I click on a link for a stationx user but cancel the http authentication, then the problem disappear. I am able to use a workarround, but I would like to understand what cause my problem. Is there a way to display which object has triggered the authentication, and which acl_users folder is used?? Help please... Thanks. Gilles Lavaux > > >Last time reply by Dieter Maurer : The security system does not use the full acquisition context but only the containment. This is a security feature to prevent a user with partial management rights in a subfolder to affect permissions for objects outside its area. I think (am not sure!) that in your case, the "protected" context is not used as your objects are in fact outside "protected". Dieter _______________________________________________ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
