Local roles and acquisition
I have the following problem regarding local roles and acquisition: Folder structure: A------B------index_html | ----worker A and B are folders, worker is an object with some handy methods. These methods are declared protected with security.declareProtected('Manage properties'). The index_html in B uses some of the functions in worker, so whoever is using index_html must have a role that has the permission 'Manage properties'. When I assign a local role to someone in folder B that has the permission 'Manage properties', I still cannot access the protected methods in worker. Also, trying to do things like http://mysite/A/B/worker/someMethod or http://mysite/A/worker/B/someMethod doesn't work (I get the login box.) How does Zope resolve security when using acquisition to access methods. Proxy roles won't help as I am using a product and in this case, index_html is a skin method in a CMF site, so I can't assign a proxy role to index_html. Thanks Etienne.
Etienne Labuschagne wrote at 2003-4-23 10:01 +0200:
I have the following problem regarding local roles and acquisition:
Folder structure:
A------B------index_html | ----worker
A and B are folders, worker is an object with some handy methods. These methods are declared protected with security.declareProtected('Manage properties').
The index_html in B uses some of the functions in worker, so whoever is using index_html must have a role that has the permission 'Manage properties'.
When I assign a local role to someone in folder B that has the permission 'Manage properties', I still cannot access the protected methods in worker.
Your diagram is not completely clear but I suppose "worker" is in "A" (and not in "B"). Then, the behaviour you observe is as it should be. When you call a protected method on an object, the user must have the necessary permission (mapped to roles) on *THAT* object. Local roles (like other security settings) are only acquired via containment (i.e. statically with respect to the site structure) and not via context. Dieter
participants (2)
-
Dieter Maurer -
Etienne Labuschagne