Where is the initial code for setting permissions in the ZODB? It looks like the "Copy or Move" permission is give to Anonymous by default at ZODB creation in Zope, which is ahem wrong. Cant find the code that sets that up though, can anyone throw me a clue stick that grep can't? Thanks. -- Andy McKay ClearWind Consulting http://www.clearwind.ca
Sure enough as soon as I email the list I remembered permissions can be declared anywhere, one grep more and there it is in CopySupport.py, 385: class CopySource(ExtensionClass.Base): """Interface for objects which allow themselves to be copied.""" # declare a dummy permission for Copy or Move here that we check # in cb_isCopyable. __ac_permissions__=( ('Copy or Move', (), ('Anonymous', 'Manager',)), ) Of course you need to be able to paste... so may not be a huge problem, just looks wrong :) -- Andy McKay http://www.agmweb.ca
Yeah, wrong but toothless. Feel free to fix on appropriate branches I guess :-)
Well yeah but Im betting its there for a reason, I just dont know what it is yet. Changing that is sure to break something... -- Andy McKay ClearWind Consulting http://www.clearwind.ca
Andy McKay wrote:
Yeah, wrong but toothless. Feel free to fix on appropriate branches I guess :-)
Well yeah but Im betting its there for a reason, I just dont know what it is yet. Changing that is sure to break something...
Well, do it and I'm sur we'll soon find out :-) Chris
On Wed, 2003-10-08 at 18:45, Andy McKay wrote:
Yeah, wrong but toothless. Feel free to fix on appropriate branches I guess :-)
Well yeah but Im betting its there for a reason, I just dont know what it is yet. Changing that is sure to break something...
The best I could find out is this snippet in Zope 2.6.2 CHANGES.txt - A new permission "Copy or Move" was added. This permission may be used respective to an object to prevent objects from being copyable or movable while within the management interface. The "old" behavior stipulated that users whom possessed the "View management screens" permission to an object's container could copy or move the object arbitrarily, even if they had limited access to the object itself. Once the object was moved or copied, the user became the owner of the new object, allowing them to see potentially sensitive information in the management interface for the object itself. This permission is granted to Manager and Anonymous by default, and must be revoked on an object-by-object basis if site managers intend to provide management screen access to folders which contain sensitive subobjects. This patch came as a result of Collector #376 (thanks to Chris Deckard). Cheers, Leo
participants (4)
-
Andy McKay -
Andy McKay -
Chris Withers -
Leonardo Rochael Almeida