[Zope-dev] Security-Problem
Shane Hathaway
shane@zope.com
Tue, 18 Feb 2003 12:01:45 -0500
On 02/18/2003 09:16 AM, Andre Schubert wrote:
> I try to explain what happens. Lets say i have a user called foo who
> has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
> a folder called bar and foobar. foobar is called from inside bar
> (<dtml-call foobar>). He also created a Role MSAdmin. bar is
> accessible and visible by Anonymous Users. foobar is accessible and
> visible by MSAdmin and Manager. If i view bar and login as a user
> with MSAdmin-Roles everything works fine. But if i remove the
> Manager-Role from foo who has created the two DTMLMethods i get the
> above error.
Do you not want foo to have the Manager role?
> I have the same problem with a really big Zope-Site where i have the
> remove Manager-Roles from a specific user. The only solution i have
> found is to recreate the DTMLMethods, but it is very hard to
> reacreate all DTMLMethods created by foo.
I think you're asking for a "find + chown" utility, right? I don't know
of one, but it sure would be nice to have. :-)
Shane