[Zope-dev] proxy role inheritence (was REQUEST.AUTHENTICATED_USER
question)
R. David Murray
bitz@bitdance.com
Thu, 24 Jan 2002 13:14:10 -0500 (EST)
On 24 Jan 2002, Leonardo Rochael Almeida wrote:
> When you give a method one or more proxy roles, the user that can
> view/call it assumes these roles instead of his own. That means he has
> the permissions these proxy roles have, instead of the permissions his
> own roles would give him (which means proxy-roles can enhance as well as
> reduce permissions). This means proxy roles only work for that method
> that is being viewed/called (and other methods called from it as well),
Actually, I believe this is not true. My understanding is that
the proxy is only good for the method it is on. If it calls another
DTML method, that sub-DTML method runs with the original user's
roles. I believe the same is true for called pythonscripts.
Actually, writing that down calls forth a question. If you put
a proxy role on a method to *reduce* priviledges, shouldn't the
reduction apply to called methods even if an increase in permissions
doesn't apply to called methods? Does it?
--RDM