[Zope-dev] Help on Zope security needed ...

Chris McDonough chrism@zope.com
Fri, 03 Aug 2001 13:48:25 -0400 

I am following up on this at the moment, hang tight.

Joachim Werner wrote:
> 
> > Just tested it with blank zope 2.3.3
> >
> > /
> > method
> >  - testfolder
> >    - userfolder with user test and manager role (just in testfolder!)
> >
> > The following doesn't work for user test:
> >
> > http://localhost/method/manage
> >
> >
> > The following _will_ work for user test:
> >
> > http://localhost/testfolder/method/manage
> >
> >
> > and let's me change method, which is contained
> > in zopes root.
> >
> > Hmm, this shouldn't be so, should it?
> 
> No, it shouldn't.
> 
> Am starting to think that the Zope security model implementation is a bit
> "strange". What I'd need in practice is a security model that
> 
> a) is completely predictable (that's what
> http://dev.zope.org/Wikis/DevSite/Proposals/SecurityJihad is working on)
> b) would normally make sure that somebody in a subfolder can not get access
> to anything that is explicitly protected in the parent folder
> c) would on the other hand offer the possibility to bind access to a role,
> regardless where in the folder hierarchy somebody gets the role.
> 
> The problem is with acquisition: If I have an "editButtonsBar" widget in my
> root directory, I'd like to make it available to ALL Editors, not just to
> the ones who have editor roles in root.
> 
> On the other hand, if I have a standard header or footer that should not be
> overriden in a subfolder, this should be possible. This means I'd not only
> need a permission that can not be bound to roles in the subfolder, but also
> a mechanism to prevent overriding the object ...
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )

-- 
Chris McDonough                           Zope Corporation
http://www.zope.org                    http://www.zope.com

""" Killing hundreds of birds with thousands of stones """