* Dieter Maurer [21:22 18/03/03 CET]:

Nicolas Évrard wrote at 2003-3-17 22:22 +0100:

...

... And if you have a reason why access to the owner of an object is not visible unless I use a proxied script I would really be glad to read it.

It is protected by a permission.

And as with all permissions, you must either grant them to the users that need them or you have a special script with a proxie role.

Ok with that ...

I do not argue whether the set of methods protected by the one protecting protecting "owner_info" is senseful. It heavily depends on the application domain, in general.

Well don't really see how the information about who is the owner of an object or so might be a security breach. I'm not a security guru so I can hardly imagine how to trick the Zope Security System with such informations.

And it is not worth to argue about it, as you always can use the proxie role approach.

Yup, but I was wondering how did this protection came out ... Because even if the script is really simple I see it as a "setuid root script" and I don't like having those kind of things hanging around in my system if they are not *really* unavoidable. Because, for exemple if I need to access this kind of information in a fairly complicated script, there may be some security issues I don't check and the script will be proxied => A potential security breach ? Anyway thank you for your answer. -- (°> Nicolas Évrard / ) Liège - Belgique ^^