I have patched the Navigation and Management so the drop-down containing 'Set Preferences' and 'Logout' is displayed in the menu frame. The 'Set Preferences' displays a customized page to the user to set a unique set of options for my application. My product consists of several additional roles and relies heavily on a nested structure of folders and acl_users for granting access.
Previously, under 2.7 I set default security for every store, which is a top level container, and the entire site consists of several stores. I have now upgraded to 2.8, created each store as a separate mount point so it has its own ZODB, and security is set at the root level. However, now if a 'Custodian' with an account nested inside of a store chooses to go to 'Set Preferences' they recieve an Unauthorized error. Zope complains on the RESPONSE.setHeader() call contained in manage_page_header. I have gone as far as to set __roles__=None on the manage_page_header and preferences page in my Navigation patch. Only those users with an account established at the root can gain access to the preferences. Otherwise, they recieve an error. If I allow Anonymous all permissions in the Security Tab (BiG bad no no in my case) then users below the root level can gain access to the preferences page. In my understanding of Security, I thought declaring __roles__=None would also allow users to access an object without needing to pass security. What could I possibly be missing???? My site, including the bug, is currently public and to be demoed in two days. Any assistance or guidance is greatly appreciated. _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )