[Zope-dev] permission inheritance from conflicting groups

Daniel Blackburn blackburnd at gmail.com
Tue Jun 10 10:54:15 EDT 2008


On Tue, Jun 10, 2008 at 9:34 AM, Stephan Richter <
srichter at cosmos.phy.tufts.edu> wrote:

> On Monday 09 June 2008, Daniel Blackburn wrote:
> > It seems that there either may be an issue with Zope security or I do
> > not understand it properly. Please let me know what you guys think.
> >
> > Lets say we have a principal with no direct permissions or roles
> > assigned to see a view index.html. The principal has two groups,
> > group1 and group2. group1 allows the principal to see index.html and
> > group2 denys access to index.html. It seems to me that in this
> > situation of conflicting permissions a deny permission should result
> > for the principal to the index view. However it does not, the
> > permission will be digested into allowing the principal to have access
> > to the view. Is this the desired behavior, or just simply overlooked.
> > I looked in the doctests and did not see anything like this. Any
> > feedback would be appreciated.
>
> I would epxect the order of the groups to matter and simply the setting
> that
> is found last wins. This is a third possible behavior that mimics Python's
> inheritance behavior.
>
> The order seems to have no effect on the inheritance, I just ran the tests
> with two

    groups and toggled the permissions on each.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope-dev/attachments/20080610/60ad9ffa/attachment.html


More information about the Zope-Dev mailing list