Unaware of any security risks I used this "feature" from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8 cb ----- Original Message ----- From: "Lennart Regebro" <regebro@gmail.com> To: "Kees de Brabander" <cj.de.brabander@hccnet.nl> Cc: "David" <bluepaul@earthlink.net>; "zope user list" <zope@zope.org> Sent: Friday, February 10, 2006 2:49 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/10/06, Kees de Brabander <cj.de.brabander@hccnet.nl> wrote:
If so, couldn't we have some extra attribute to a role like "upwardly mobile"? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access).
I second that. This used to be possible, at least up to zope 2.7.3.
No, you don't have any rights above where you are created, because you don't exist there and hence you can not be validated. Implementing that would be complicated, unnecessary and most likely open up huge security holes.
The loss of this feature makes the acquisition concept obsolete to some extent.
There may be some difference and some feature which you lost between 2.7.3 and 2.7.8, especially since there was done a lot of security fixes, but the described functionality was not it, unless Zope 2.7.3 specifically had by mistake opened up this gaping security hole. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/