[Zope-CMF] [dev] checkPermission and proxy roles
yuppie
y.2004_ at wcm-solutions.de
Mon Feb 9 09:27:05 EST 2004
Hi!
def checkPermission(self, permission, object, context):
# XXX proxy roles and executable owner are not checked
...
As this comment in Zope's checkPermission method says, proxy roles are
not respected by checkPermission. CMF makes extensive use of
checkPermission in it's tools. So you have a good chance that TTW code
that's working for a manager will not work with a manager proxy role.
Is this a policy decision, would changing checkPermission() to respect
proxy roles open any potential security holes or did just nobody work on
the implementation? The 'XXX' seems to mark this as a 'to do'.
I think at least utils._checkPermission() should be modified to
implement this. Maybe we can use some code from validate().
Any thoughts?
Cheers,
Yuppie
More information about the Zope-CMF
mailing list