[Zope-dev] Initial ZODB permissions
Leonardo Rochael Almeida
leo at hiper.com.br
Thu Oct 9 20:51:29 EDT 2003
On Wed, 2003-10-08 at 18:45, Andy McKay wrote:
> > Yeah, wrong but toothless. Feel free to fix on appropriate branches I
> > guess :-)
>
> Well yeah but Im betting its there for a reason, I just dont know what
> it is yet. Changing that is sure to break something...
The best I could find out is this snippet in Zope 2.6.2 CHANGES.txt
- A new permission "Copy or Move" was added. This permission
may be used respective to an object to prevent objects
from being copyable or movable while within the management
interface. The "old" behavior stipulated that users whom
possessed the "View management screens" permission to an object's
container could copy or move the object arbitrarily, even if they
had limited access to the object itself. Once the object was
moved or copied, the user became the owner of the new object,
allowing them to see potentially sensitive information in
the management interface for the object itself. This permission
is granted to Manager and Anonymous by default, and must be
revoked on an object-by-object basis if site managers intend
to provide management screen access to folders which contain
sensitive subobjects. This patch came as a result of
Collector #376 (thanks to Chris Deckard).
Cheers, Leo
More information about the Zope-Dev
mailing list