[Zope-CMF] A role to assign local roles.

[Luca Olivetti]

Lalo Martins wrote:

> 
> Luca, you have a security problem with your setup. It's very
> simple.
> 
> If you allow Joe and Jane to assign the role "Reviewer" to other
> people, and they don't have that role themselves, then you're
> allowing them to assign this role to themselves.

True, but this doesn't bother me much. These users have enough decisional power to do 
that, they're simply not technical so I just want them to stay outside the nitty gritty 
management of the portal.


> So, in effect
> it's exactly the same situation you'd have if you just gave them
> the roles.

Yes, I know. But if I just assign them the roles, they will be bothered with a lot of 
possible actions (much more than in a default cmf site) of no concern to them in the 
actions box. If they do that then that's their problem ;-).
This is my main concern at the moment wrt thes people, not really security.


> Also, if you allow them to assign *any* role to anyone, they can
> assign "Manager" to themselves and wreak havoc, which defeats
> the point of the whole Zope security machinery.

This *is* a good point I didn't think of. The method suggested by Tres seems good (thans 
you! btw), I'll just have to take care and filter out Manager from the roles they can 
assign.

Bye

-- 
Luca Olivetti
Wetron Automatización S.A. http://www.wetron.es/
Tel. +34 93 5883004      Fax +34 93 5883007