Re: [Zope-dev] Help on Zope security needed ...
Just resending to zope-dev, silly me adressed zope at first... Hi, just to give a little more weight to that...
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen. Are you sure, you get the "title" form root and not that from "FOLDER" (it has a "title" of its own).
Just tested it with blank zope 2.3.3 / method - testfolder - userfolder with user test and manager role (just in testfolder!) The following doesn't work for user test: http://localhost/method/manage The following _will_ work for user test: http://localhost/testfolder/method/manage and let's me change method, which is contained in zopes root. Hmm, this shouldn't be so, should it? cheers, olier
Just tested it with blank zope 2.3.3
/ method - testfolder - userfolder with user test and manager role (just in testfolder!)
The following doesn't work for user test:
http://localhost/method/manage
The following _will_ work for user test:
http://localhost/testfolder/method/manage
and let's me change method, which is contained in zopes root.
Hmm, this shouldn't be so, should it?
No, it shouldn't. Am starting to think that the Zope security model implementation is a bit "strange". What I'd need in practice is a security model that a) is completely predictable (that's what http://dev.zope.org/Wikis/DevSite/Proposals/SecurityJihad is working on) b) would normally make sure that somebody in a subfolder can not get access to anything that is explicitly protected in the parent folder c) would on the other hand offer the possibility to bind access to a role, regardless where in the folder hierarchy somebody gets the role. The problem is with acquisition: If I have an "editButtonsBar" widget in my root directory, I'd like to make it available to ALL Editors, not just to the ones who have editor roles in root. On the other hand, if I have a standard header or footer that should not be overriden in a subfolder, this should be possible. This means I'd not only need a permission that can not be bound to roles in the subfolder, but also a mechanism to prevent overriding the object ...
I am following up on this at the moment, hang tight. Joachim Werner wrote:
Just tested it with blank zope 2.3.3
/ method - testfolder - userfolder with user test and manager role (just in testfolder!)
The following doesn't work for user test:
http://localhost/method/manage
The following _will_ work for user test:
http://localhost/testfolder/method/manage
and let's me change method, which is contained in zopes root.
Hmm, this shouldn't be so, should it?
No, it shouldn't.
Am starting to think that the Zope security model implementation is a bit "strange". What I'd need in practice is a security model that
a) is completely predictable (that's what http://dev.zope.org/Wikis/DevSite/Proposals/SecurityJihad is working on) b) would normally make sure that somebody in a subfolder can not get access to anything that is explicitly protected in the parent folder c) would on the other hand offer the possibility to bind access to a role, regardless where in the folder hierarchy somebody gets the role.
The problem is with acquisition: If I have an "editButtonsBar" widget in my root directory, I'd like to make it available to ALL Editors, not just to the ones who have editor roles in root.
On the other hand, if I have a standard header or footer that should not be overriden in a subfolder, this should be possible. This means I'd not only need a permission that can not be bound to roles in the subfolder, but also a mechanism to prevent overriding the object ...
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com """ Killing hundreds of birds with thousands of stones """
Just tested it with blank zope 2.3.3
/ method - testfolder - userfolder with user test and manager role (just in testfolder!)
The following doesn't work for user test:
http://localhost/method/manage
The following _will_ work for user test:
I checked this in an "old" Zope 2.1.6: There I can do http://localhost/testfolder/method, too, but at least NOT .../manage! So there seem to have been some changes into the wrong direction ... Cheers Joachim
participants (3)
-
Chris McDonough -
Joachim Werner -
Oliver Bleutgen