[Zope-CMF] A role to assign local roles.

Lalo Martins lalo@laranja.org
Mon, 25 Mar 2002 15:45:30 -0300


On Mon, Mar 25, 2002 at 01:32:44PM -0500, Adam Fields wrote:
> 
> Lalo Martins says:
> > Luca, you have a security problem with your setup. It's very
> > simple.
> > 
> > If you allow Joe and Jane to assign the role "Reviewer" to other
> > people, and they don't have that role themselves, then you're
> > allowing them to assign this role to themselves. So, in effect
> > it's exactly the same situation you'd have if you just gave them
> > the roles.
> 
> Not exactly. You could allow the HR role to assign roles to some other
> subset of users that doesn't include their own account.

If they're really malicious, they could work in conjunction with
other people - say, give "Manager" to Fred and them have Fred
give "Manager" to them.

But the (IMHO) more dangerous situation is where they're not
malicious. They could assign "Manager" to Fred for accident,
perhaps because he is a Manager in the company and they
momentarily forgot what does the role "Manager" means. Or
something.

Personally I think it's simpler and safer to give them the roles
they'll be assigning.

[]s,
                                               |alo
                                               +----
--
  It doesn't bother me that people say things like
   "you'll never get anywhere with this attitude".
   In a few decades, it will make a good paragraph
      in my biography. You know, for a laugh.
--
http://www.laranja.org/                mailto:lalo@laranja.org
         pgp key: http://www.laranja.org/pessoal/pgp

Brazil of Darkness (RPG)      ---       http://www.BroDar.org/
Python Foundry Guide http://www.sf.net/foundry/python-foundry/