[Zope-dev] Help on Zope security needed ...

Joachim Werner joe@iuveno-net.de
Wed, 1 Aug 2001 20:49:43 +0200


Hello Dieter!

>   Zope security had been strengthened to explicitly forbid access
>   to objects outside the folder covered by the authenticating
>   user folder.

That's good in terms of security. But also extremely limiting. My idea was
that I'd be able to say

"All editors can edit stuff" and protect the corresponding methods with the
"Edit stuff" permission.
Then I'd assign the "Editor" role on a local basis, either using local roles
or our Slave User Folder.

So I could have an Editor that can edit stuff in some subfolders (where he
is "Editor"), but not everywhere.

With the limitations the security machinery seems to have, I'll have to do
it the hard way: set up all users in the root folder and then create dozens
or even hundreds of dedicated roles like "Add stuff to folder FOLDER" or
"Add stuff to folder ROOT" ...

This is ugly ...

Isn't there any better way?

>  > The funny thing is: http://.../ROOT/FOLDER/title will work fine ...
> Indeed, funny. Should probably not happen. Are you
> sure, you get the "title" form root and not that from "FOLDER"
> (it has a "title" of its own).

The "title" thing was a bad example, as there is a "title" attribute. In the
real case it is not "title" but "managementButtonBar", so the naming issue
is none. And I verified the thing again: It really works the way I described
it ...

>  > Also, if the user is in the ROOT folder, everything works fine. But
then I
>  > can't really do what I want, i.e. restrict permissions to the FOLDER
folder
>  > ....
> That's to be expected, because then, the authenticating user folder
> covers the "title" method.

I understand ...

Cheers

Joachim