[Zope-dev] Server Side Trojan Issue really dead?

KevinL darius@bofh.net.au
Mon, 07 Aug 2000 22:17:52 +1000


> Steve Alexander wrote:
> However... the zope security system could help with this. Here's an ill
> thought out idea for your consideration :-)
> 
> Have a function that takes two sets of permissions, and returns the
> intersection of these sets. Then, use some sort of local permissions
> combination to make the wiki page that's been edited have the resultant
> lowest-common-denominator permissions, even for the owner.

Correct me if I'm wrong, but wouldn't this have the same problem?  Person of 
high access makes zwiki, person of low access adds evil function to it, person 
of high access views it - unless you're tracking "smallest set of privileges 
held by anyone editing this page" at all times, you're going to intersect 
owner with creator and still allow editor to trojan.

Is that the essential problem, or should I be quiet and go away?  (or both? ;)

KevinL