Danny William Adair schrieb: > > On Saturday 24 November 2001 01:40, Andre Schubert wrote: > > root/ > > index_html > > foo/ > > acl_users/ > > bar/ > > Image > > > > I have a image which could only be view by users with a role named > > foobar, these users are in acl_users. > > If i access the image through the web a must authenticate myself for the > > first time, after that everything works well. > > But if i want to access the Image via <dtml-var Image> from the > > index_html in the root-folder a got no access. > > After searching at Zope.org i tested with <dtml-var > > "restrictedTraverse('foo/bar/Image')"> but this doesnt works. > > How do i authenticate myself in foo if i access the folder via dtml. > > In your "Image" object, give the "Access Contents Information" to the role > "Anonymous" (or whoever usually views index_html), but keep "View" forbidden > for Anonymous (allowed only for "foobar" role owners). So it is. > > This way, the var tag (which could have been called by Anonymous) will be > able to "see" the object, and Zope will authenticate automatically, if this > is necessary in order to view it. This doesn't work, because the user it not known in root where the index_html is, the user is known in the folder view.
> > For security reasons, your Image object will not even be "found", if the > caller's role does not have the "Access Contents Information" permission. I > find this a good idea and reason. > > There is no difference whether you climb to "Image" using restrictedTraverse, > the "with" tag, or directly. All these will have identical results. > > If you want to avoid the separate permission settings (because you have a lot > of Image objects you want to behave like that), either give "index_html" a > proxy role that has the "Access Contents Information" permission on "Image" > (or the whole "bar" folder), or use unrestrictedTraverse in index_html. > > hth, > Danny as _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )