[Zope-dev] Help on Zope security needed ...
Chris McDonough
chrism@zope.com
Fri, 03 Aug 2001 13:48:25 -0400
I am following up on this at the moment, hang tight.
Joachim Werner wrote:
>
> > Just tested it with blank zope 2.3.3
> >
> > /
> > method
> > - testfolder
> > - userfolder with user test and manager role (just in testfolder!)
> >
> > The following doesn't work for user test:
> >
> > http://localhost/method/manage
> >
> >
> > The following _will_ work for user test:
> >
> > http://localhost/testfolder/method/manage
> >
> >
> > and let's me change method, which is contained
> > in zopes root.
> >
> > Hmm, this shouldn't be so, should it?
>
> No, it shouldn't.
>
> Am starting to think that the Zope security model implementation is a bit
> "strange". What I'd need in practice is a security model that
>
> a) is completely predictable (that's what
> http://dev.zope.org/Wikis/DevSite/Proposals/SecurityJihad is working on)
> b) would normally make sure that somebody in a subfolder can not get access
> to anything that is explicitly protected in the parent folder
> c) would on the other hand offer the possibility to bind access to a role,
> regardless where in the folder hierarchy somebody gets the role.
>
> The problem is with acquisition: If I have an "editButtonsBar" widget in my
> root directory, I'd like to make it available to ALL Editors, not just to
> the ones who have editor roles in root.
>
> On the other hand, if I have a standard header or footer that should not be
> overriden in a subfolder, this should be possible. This means I'd not only
> need a permission that can not be bound to roles in the subfolder, but also
> a mechanism to prevent overriding the object ...
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
--
Chris McDonough Zope Corporation
http://www.zope.org http://www.zope.com
""" Killing hundreds of birds with thousands of stones """