[Zope-CMF] Securing CMF with Page Templates
Kent Polk
kent@goathill.org
Fri, 12 Apr 2002 17:09:27 -0500 (CDT)
Dieter Maurer wrote:
> Kent Polk writes:
> > Have you turned off 'Acquire permission settings' for 'view' to
> > that object, allowed view permission only for a User defined role,
> > and then logged in as a user who has that role (or set via local
> > roles) and then tried to access the file/size for that object from
> > outside of that object?
> No, I did not.
>
> > It fails every time for me.
> And it might be right:
>
> The effective permissions are the intersection
> of those that both the executing user and the owner of the
> executing script have.
>
> If the owner has no longer "View" permission, then even when
> the executing user has, he will not be allowed to view.
>
> This is Zope's Trojan Horse protection...
Actually, I oversimplified the case a tiny bit (didn't know that
it would matter). The owner does have view permissions but is the
only other role that does, so the case still appears the same here.
I didn't know about this particular restriction. Are there any
others that would come into play here?