[Zope-CMF] A role to assign local roles.
Lalo Martins
lalo@laranja.org
Mon, 25 Mar 2002 15:24:16 -0300
On Mon, Mar 25, 2002 at 10:34:33AM +0100, Luca Olivetti wrote:
> I would like a role (say, 'Human Resources') to assign local roles to other
> users.
> Since the machinery is already in place (through folder_localrole_form) I
> thought I could use it.
> The problem is that in MembershipTool.py (methods getCandidateLocalRoles
> and setLocalRoles) the user is restricted to assign roles she already has
> unless she is 'Manager'.
> I don't want these users to be 'Manager' (to avoid them making collateral
> damage to the portal ;-) but I don't want them to have all roles they are
> to assign either.
Luca, you have a security problem with your setup. It's very
simple.
If you allow Joe and Jane to assign the role "Reviewer" to other
people, and they don't have that role themselves, then you're
allowing them to assign this role to themselves. So, in effect
it's exactly the same situation you'd have if you just gave them
the roles.
Also, if you allow them to assign *any* role to anyone, they can
assign "Manager" to themselves and wreak havoc, which defeats
the point of the whole Zope security machinery.
[]s,
|alo
+----
--
It doesn't bother me that people say things like
"you'll never get anywhere with this attitude".
In a few decades, it will make a good paragraph
in my biography. You know, for a laugh.
--
http://www.laranja.org/ mailto:lalo@laranja.org
pgp key: http://www.laranja.org/pessoal/pgp
Brazil of Darkness (RPG) --- http://www.BroDar.org/
Python Foundry Guide http://www.sf.net/foundry/python-foundry/