[Zope-dev] Security-Problem
Andre Schubert
andre@km3.de
Wed, 19 Feb 2003 07:34:53 +0100
On Tue, 18 Feb 2003 12:01:45 -0500
Shane Hathaway <shane@zope.com> wrote:
> On 02/18/2003 09:16 AM, Andre Schubert wrote:
> > I try to explain what happens. Lets say i have a user called foo who
> > has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
> > a folder called bar and foobar. foobar is called from inside bar
> > (<dtml-call foobar>). He also created a Role MSAdmin. bar is
> > accessible and visible by Anonymous Users. foobar is accessible and
> > visible by MSAdmin and Manager. If i view bar and login as a user
> > with MSAdmin-Roles everything works fine. But if i remove the
> > Manager-Role from foo who has created the two DTMLMethods i get the
> > above error.
>
> Do you not want foo to have the Manager role?
No, because he is no longer in our company.
>
> > I have the same problem with a really big Zope-Site where i have the
> > remove Manager-Roles from a specific user. The only solution i have
> > found is to recreate the DTMLMethods, but it is very hard to
> > reacreate all DTMLMethods created by foo.
>
> I think you're asking for a "find + chown" utility, right? I don't know
> of one, but it sure would be nice to have. :-)
>
It would be very nice to have such a tool :)
BTW: Thanks for the quick answers, you help me to understand the problem.
I take the ownership of all objects where foo was the owner
and the problems should go away :)