UserFolder and errors after owner of an object is deleted
Hi, I just noticed a funny behaviour, if I have a user in userfolder that has created a set of page templates and later I destroy that user - all his / her templates stop working and begin to complain, for example, 'you don't have rigths to access title in this context'. Of course errors disappear when objects are either owned by new user or user, named like old user, is created. Is there any good reason for something like this happening? A bug in security mechanism? Tested on Zope 2.5.1 Python 2.1.3 -- Heimo Laukkanen Oy Fountain Park Ltd Hämeentie 153 B, 00560 Helsinki, Finland tel. +358 9 777 68 161, gsm +358 40 759 1110, fax +358 9 777 68 100 http://www.fountainpark.org
This is a consequence of the changes enacted to prevent server-side trojan attacks, I believe. So, its a feature and not a bug ;p from: http://www.zope.org//Members/jim/ZopeSecurity/ServerSideTrojan What happens if the owner goes away? What if someone deletes the owner from the user database, or deletes the user database? If the owner can't be found, then we'll use the special user nobody, which is extremely unprivileged. regards, george donnelly http://zettai.net/ zettai: zope hosting and dynamic websites
From: Heimo Laukkanen <huima@fountainpark.org>
I just noticed a funny behaviour, if I have a user in userfolder that has created a set of page templates and later I destroy that user - all his / her templates stop working and begin to complain, for example, 'you don't have rigths to access title in this context'.
Of course errors disappear when objects are either owned by new user or user, named like old user, is created.
Is there any good reason for something like this happening? A bug in security mechanism?
Heimo Laukkanen writes:
I just noticed a funny behaviour, if I have a user in userfolder that has created a set of page templates and later I destroy that user - all his / her templates stop working and begin to complain, for example, 'you don't have rigths to access title in this context'. That's not funny but normal:
The effective roles are the intersection of the owner roles (of the executable) and the roles of the executing user. Non-existing owners have at most the "Anonymous" role. You may want to read Brian's Zope Security document (for Zope 2.2, when the above restriction has been introduced). Dieter
participants (3)
-
Dieter Maurer -
george donnelly -
Heimo Laukkanen