Example policy: DTML (Zope 2.1.6)
- If an access name begins with
aq_, then access is always allowed if the name is
aq_explicitand always disallowed otherwise.
- If an accessed value doesn't have a
__roles__attribute and the place it came from doesn't have and can't acquire a
__roles__attribute, then access is denied if the value was acquired and denied otherwise.
- I'm not sure if this is clear Jim, or is the double negative a typo?
For brevity, define
roles to be the accessed value's
__roles__, if present or the (possibly acquired)
of the object the accessed value came from.
- If the AUTHENTICATED_USER has any of the roles or the outermost DTML methods's proxy roles include any of the roles, then access is granted, otherwise, access is denied.