DTML Method Security view after explicitly setting security
A basic public website built with Zope is made up of a number of documents which should be viewable by the general public, also known as anonymous users. Anonymous users should not, however, be able to modify these documents or even view their management interfaces. The default security settings of new documents ensure this by using acquired permissions, but it is useful to demonstrate how this can be done explicitly.
First, create a DTML Method. Next, click on the newly-created DTML Method to visit its management screen, then click on the Security tab to view the current security settings, as shown in Figure 11 . By default, for most objects, there are no explicit roles set for any permissions. All permission settings are acquired.
To specifically make the DTML Method viewable by anybody and editable only by managers, unselect all the acquired permission settings and explicitly set roles shown in Figure 14 then select "Change". Note that it does not matter whether or not the Manager role has the View permission, since all users implicitly have the Anonymous role. Unselecting the acquired permissions settings prevents additional roles from being assigned to management operations through acquisition. Disabling acquisition of permission settings eliminates the ability to manage security for the object centrally and is generally undesirable. However, when specific access is absolutely required, then disabling acquisition does provide a finer level of control. Additionally, explicitly setting the desired roles assures that the desired roles have the permissions, regardless of settings in higher-level folders.
|
|
