[Zope] AW: [Zope] Problems with manage_clone

a.wacknitz@francotyp.com a.wacknitz@francotyp.com
Wed, 5 Apr 2000 10:19:46 +0200


> 
> On Tue, 4 Apr 2000 a.wacknitz@francotyp.com wrote:
> > manage_clone() is only allowed to managers. How can I 
> authorize a user
> > without "AUTHENTICATED_USER.has_role('Manager')" to use 
> this method? I
> 
> You want to give your method that calls manage_clone a "proxy" role
> of manager. 
But isn't this a security hole? I don't want a user who guesses the name of
the method to call the method with arbitrary parameters and do things he is
not supposed to do...

Andreas
**********************************************************************
This email message has been swept by MIMEsweeper for the presence of
computer viruses.

Francotyp-Postalia AG & Co.