Hi! I am trying to get into understanding the Zope security machinery (Zope 2.4), and it seems to not quite do things as expected: I have a Folder hierarchy like this: ROOT --FOLDER - In ROOT I have a method "title" and the "index_html" method - I have a user "Charly" that has ther role "TitleViewer" in a user folder in FOLDER - the method "title" has View permissions linked to "TitleViewer" and "Manager" - the "index_html" method contains a string "<dtml-var title missing>" Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly". I would expect to see the title now, but I don't. If I remove the "missing" from the <dtml-var title>, I will get a key error for "title". The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder ... What is wrong there? I don't have a clue what Zope protects why and how. I always thought I knew about Zope security. But as soon as I add local roles or local user folders, things become very strange. I mean, if the idea is that the user must have the "TitleViewer" role in ROOT to see title, then http://.../ROOT/FOLDER/title should not work (but it does). But if the idea is that objects are acquired first and then user roles are checked against them, http://.../ROOT/FOLDER/index_html should display the title stuff (but it does not). Cheers Joachim
Joachim Werner writes:
I am trying to get into understanding the Zope security machinery (Zope 2.4), and it seems to not quite do things as expected:
I have a Folder hierarchy like this:
ROOT --FOLDER
- In ROOT I have a method "title" and the "index_html" method - I have a user "Charly" that has ther role "TitleViewer" in a user folder in FOLDER - the method "title" has View permissions linked to "TitleViewer" and "Manager" - the "index_html" method contains a string "<dtml-var title missing>"
Now I go to http://.../ROOT/FOLDER/index_html. My user is "Charly".
I would expect to see the title now, but I don't. If I remove the "missing" from the <dtml-var title>, I will get a key error for "title". That's as it should be:
Zope security had been strengthened to explicitly forbid access to objects outside the folder covered by the authenticating user folder.
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen. Are you sure, you get the "title" form root and not that from "FOLDER" (it has a "title" of its own).
Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder .... That's to be expected, because then, the authenticating user folder covers the "title" method.
Dieter
Hello Dieter!
Zope security had been strengthened to explicitly forbid access to objects outside the folder covered by the authenticating user folder.
That's good in terms of security. But also extremely limiting. My idea was that I'd be able to say "All editors can edit stuff" and protect the corresponding methods with the "Edit stuff" permission. Then I'd assign the "Editor" role on a local basis, either using local roles or our Slave User Folder. So I could have an Editor that can edit stuff in some subfolders (where he is "Editor"), but not everywhere. With the limitations the security machinery seems to have, I'll have to do it the hard way: set up all users in the root folder and then create dozens or even hundreds of dedicated roles like "Add stuff to folder FOLDER" or "Add stuff to folder ROOT" ... This is ugly ... Isn't there any better way?
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen. Are you sure, you get the "title" form root and not that from "FOLDER" (it has a "title" of its own).
The "title" thing was a bad example, as there is a "title" attribute. In the real case it is not "title" but "managementButtonBar", so the naming issue is none. And I verified the thing again: It really works the way I described it ...
Also, if the user is in the ROOT folder, everything works fine. But then I can't really do what I want, i.e. restrict permissions to the FOLDER folder .... That's to be expected, because then, the authenticating user folder covers the "title" method.
I understand ... Cheers Joachim
The funny thing is: http://.../ROOT/FOLDER/title will work fine ... Indeed, funny. Should probably not happen.
What also works: If I put an index_html into FOLDER, it acquires <dtml-var title> (to stay with the example) correctly (or should I say "uncorrectly"?). I still have a problem in understanding the pattern. It seems to have to do something with the order of acquisition.
From Python I have similarly strange things, but more on that later ...
Joachim
Hello Joachim, Joachim Werner writes:
Zope security had been strengthened to explicitly forbid access to objects outside the folder covered by the authenticating user folder.
That's good in terms of security. But also extremely limiting. My idea was that I'd be able to say
"All editors can edit stuff" and protect the corresponding methods with the "Edit stuff" permission. Then I'd assign the "Editor" role on a local basis, either using local roles or our Slave User Folder. The "local role" approach should work, the "slave user folder" not.
Dieter
participants (2)
-
Dieter Maurer -
Joachim Werner