[Zope-CMF] sequrity questions writing unit tests

[Dieter Maurer]

robert writes:
 > I am writing unit tests for an plone based intranet.
 > 
 > My question: why can user kurt delete the folder "xyz" which was created 
 > by hans and set to state private?
I see two potential reasons:

  1.  The code is not TTW code and therefore not restricted by Zope
      security system -- this already was suggested by Chris.

  2.  When a object can be deleted is *INDEPENDENT* from the object
      and only dependent of the container containig the object.

      When a user has the "Delete objects" permission on the container,
      it can delete the contained objects (unless these raise
      an exception in their "manage_beforeDelete" method).


Dieter