On Wed, 30 Jul 2003 09:46:06 -0600 GMT (..17:46 where i live(GMT+2) ) Tom Nichols asked the Zope mailinglist about the following:
I don't seem to understand the Security applied to a script. ..... When another user who does not have the manager role runs the script that calls this one against the config object, this script fails because the user does not have permission to do the manage_changeProperties call.
If I add 'manage properties' permission on the object config to a role this user has, then the script runs properly.
So it appears to me that the script runs with the user's permission rather than the owners' permission (which I expected).
Can anyone help me understand why the script doesn't run with its owners' (a manager) permission to manage properties?
a script is run with the lowest of the two : the owners and the user executing it. If you want it to be able to run with more permissions than the executing user has, you have to give the script a proxy-role. the security chapter of the zope book (2.6 edition) has it all described in detail : http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx :) -- Geir Bækholt