Re: [Zope] Not authorised to assign proxy role
Ng Pheng Siong writes:
On Mon, Feb 19, 2001 at 12:05:05AM +0100, Dieter Maurer wrote:
Ng Pheng Siong writes:
You are not authorized to change prox because you do not have proxy roles.
You want to give the object a proxy role, you yourself do not have.
Aye, thanks. That was a simple fix, although it feels kludgy: Given the following folder structure:
- root |- sub
To do what I want, I needed to create a user folder in sub, add a user with same username, same password as the one in root, then assign the proxy role to the user in sub. This should not be necessary.
I would expect two alternatives: 1. Move the role up to the root folder and give it there to the user 2. Give the user a "local role" in "sub".
I'd imagine if a user is able to create proxy roles, he ought to be able to assign that role to a dtml method he manages. ;-| From a usage point of view, I would agree.
It might make the security implementation more difficult however. I am currently not sure, how proxy roles and owner roles play together. If the effective roles are the intersection of the two (as I think they are) then removing the restriction would cause surprises on access. Dieter
On Tue, Feb 20, 2001 at 08:53:51PM +0100, Dieter Maurer wrote:
1. Move the role up to the root folder and give it there to the user
The role is created dynamically, specifically to allow access to a GuardedFile in the current folder. Does not feel right to move the role upwards.
2. Give the user a "local role" in "sub".
This works. Thanks for the suggestion.
It might make the security implementation more difficult however.
I agree. This part of Zope does not give me warm fuzzies at the moment. I need to think more about this. Something along the lines of capabilities. (See www.erights.org.) A refactoring browser for Python would also be helpful. (Yeah, I should check out Bicycle Repair Man.) Cheers. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
participants (2)
-
Dieter Maurer -
Ng Pheng Siong