[Zope-CMF] [dev] checkPermission and proxy roles
Dieter Maurer
dieter at handshake.de
Mon Feb 9 13:21:12 EST 2004
yuppie wrote at 2004-2-9 15:27 +0100:
> ...
> def checkPermission(self, permission, object, context):
> # XXX proxy roles and executable owner are not checked
> ...
>Is this a policy decision, would changing checkPermission() to respect
>proxy roles open any potential security holes or did just nobody work on
>the implementation? The 'XXX' seems to mark this as a 'to do'.
I think, we should have both possibilities:
* check whether the real user would have the permission
(independent of proxy roles)
* check whether the current context has the permission
(dependent on the current proxy roles and other
execution security aspects (such as ownership))
--
Dieter
More information about the Zope-CMF
mailing list