On Tue, Jun 10, 2008 at 9:34 AM, Stephan Richter < srichter@cosmos.phy.tufts.edu> wrote:
On Monday 09 June 2008, Daniel Blackburn wrote:
It seems that there either may be an issue with Zope security or I do not understand it properly. Please let me know what you guys think.
Lets say we have a principal with no direct permissions or roles assigned to see a view index.html. The principal has two groups, group1 and group2. group1 allows the principal to see index.html and group2 denys access to index.html. It seems to me that in this situation of conflicting permissions a deny permission should result for the principal to the index view. However it does not, the permission will be digested into allowing the principal to have access to the view. Is this the desired behavior, or just simply overlooked. I looked in the doctests and did not see anything like this. Any feedback would be appreciated.
I would epxect the order of the groups to matter and simply the setting that is found last wins. This is a third possible behavior that mimics Python's inheritance behavior.
The order seems to have no effect on the inheritance, I just ran the tests with two
groups and toggled the permissions on each.