Sooner or later you will run into a hard-to-figure-out Unauthorized error with Zope. The purpose of the verbose-security option is to explain exactly what causes such errors. Site admins and developers should definitely master this tool. From zope.conf:
# Directive: verbose-security # # Description: # By default, Zope reports authorization failures in a terse manner in # order to avoid revealing unnecessary information. This option # modifies the Zope security policy to report more information about # the reason for authorization failures. It's designed for debugging. # If you enable this option, you must also set the # 'security-policy-implementation' to 'python'. # # Default: off # # Example: # # security-policy-implementation python # verbose-security on
Notes:
verbose security reporting activates only when an Unauthorized exception is raised, eg when you cancel your web browser's basic authentication dialog; a cookie-based login form will not activate it. Plone/CMF users must disable cookie-based login by clearing the 'Auto-login page ID' field in their [cookie_authentication]? tool.
http://plone.org/documentation/apis/developer/HowToDebugUnauthorized - detailed how-to for plone
For full detail, you must turn on the python security policy implementation, which runs more slowly (how much ?). Without this, verbose security will still give some extra detail, but not as much. (please confirm)
Prior to Zope 2.8, this functionality was provided by a separate product by Shane Hathaway: http://hathaway.freezope.org/Software/VerboseSecurity