Dieter Maurer writes: > Jerome Alet writes: > > Thanks to you, the syntax you gave me is accepted by the dtml parser, but > > both > > > > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'], > > obj_expr='''not objectValues(['Folder'])''', > > search_sub=1)"> > > > > and > > > > <dtml-in "ZopeFind(this(), obj_metatypes=['Folder'], > > obj_expr='not objectValues([\'Folder\'])', > > search_sub=1)"> > > > > have given me an empty list. > I analysed this strange behavior in Zope 2.1.6 > and have a partial explanation. > > Although the permission setting for "objectValues" > is "Access contents information" which by default > is granted to "Anonymous" and "Manager", > only "Manager" is allowed to access "objectValues" > in the context of the above "ZopeFind". > > I could not yet determine, why this is the case. > > But taken this fact for granted, the behavior > becomes clear: the access to "objectValues" results > in an "Unauthorized" exception. This > is catched but prevents any object from being > added to the result list. By now, I know why we get this strange "objectValues__roles__" result inside ZopeFind. In "FindSupport:145", "ZopeFind" strips away the acquisition context of an object. base=obj if hasattr(obj, 'aq_base'): base=obj.aq_base if not hasattr(base, 'objectItems'): return result try: items=base.objectItems() except: return result This, too, removes the information needed for "acl_user" based authorization: In the traversal of the aquisition chain to determine the roles associated with "objectValues", the application object on top of the acquisition hierarchy is not longer reached. Therefore, "ApplicationDefaultPermissions" is not used and "PermissionRole" falls back to its own default "('Manager',)". This acquisition context stripping is almost surely responsible for other problems reported for ZopeFind, too. The behaviour would disappear, if the line try: items=base.objectItems() is replaced by try: items=obj.objectItems() Note: "ZopeFindAndApply" would need the same patch. I am not sure, however, whether this will have adverse effects at other places. I will put a reference to this report into the Collector. Dieter _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )