[Zope] security quickie
Manuel Amador (Rudd-O)
amador@alomega.com
Tue, 17 Oct 2000 00:31:32 -0500
--------------4E918131C9B66C86068C1D92
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
I too have a doubt about security stuff.
It so happens that I have this setup
rootfolder
+ myfolderobjects
+ inheritedstuff
i have an user X in root folder. Roles are so that anonymous doesn't have
permission for anything. Then, there is a user role, that is allowed some
stuff, and i assign local role of User to X into Inheritedstuff. He now can
see index_html. I proxy-role index_html to the User role
so i can <dtml-var somestuff> that is into myfolderobjects, being somestuff a
DTMLmethod.
It works. X can access index_html which in turn includes somestuff from its
parent folder, and I did not have to give him explicit rights to any of the
objects into myfolderobjects
BUT, if I try to <dtmlvar somesqlmethod>, it won't work. Note that the User
role does have permission to run SQL methods.
That's in my point of view, a mistake in Zope's security policy. If i
proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.
Please help or tip. Thanks =)
Seb Bacon wrote:
> Does Zope security provide a way of restricting what objects are listed to
> an authenticated user inside the Zope 'manage' interface? I'm getting my
> head all twisted up over this security / proxy roles /local roles lark.
>
> Thanks, seb
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
--
Manuel Amador (Rudd-O)
--------------4E918131C9B66C86068C1D92
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
I too have a doubt about security stuff.
<p>It so happens that I have this setup
<p>rootfolder
<br>+ myfolderobjects
<br> + inheritedstuff
<p>i have an user X in root folder. Roles are so that anonymous doesn't
have permission for anything. Then, there is a user role, that
is allowed some stuff, and i assign local role of User to X into Inheritedstuff.
He now can see index_html. I proxy-role index_html to the User role
<br>so i can <dtml-var somestuff> that is into myfolderobjects, being
somestuff a DTMLmethod.
<p>It works. X can access index_html which in turn includes somestuff
from its parent folder, and I did not have to give him explicit rights
to any of the objects into myfolderobjects
<br>
<p>BUT, if I try to <dtmlvar somesqlmethod>, it won't work. Note
that the User role does have permission to run SQL methods.
<p>That's in my point of view, a mistake in Zope's security policy.
If i proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.
<p>Please help or tip. Thanks =)
<br>
<p>Seb Bacon wrote:
<blockquote TYPE=CITE>Does Zope security provide a way of restricting what
objects are listed to
<br>an authenticated user inside the Zope 'manage' interface? I'm
getting my
<br>head all twisted up over this security / proxy roles /local roles lark.
<p>Thanks, seb
<p>_______________________________________________
<br>Zope maillist - Zope@zope.org
<br><a href="http://lists.zope.org/mailman/listinfo/zope">http://lists.zope.org/mailman/listinfo/zope</a>
<br>** No cross posts or HTML encoding! **
<br>(Related lists -
<br> <a href="http://lists.zope.org/mailman/listinfo/zope-announce">http://lists.zope.org/mailman/listinfo/zope-announce</a>
<br> <a href="http://lists.zope.org/mailman/listinfo/zope-dev">http://lists.zope.org/mailman/listinfo/zope-dev</a>
)</blockquote>
<pre>--
Manuel Amador (Rudd-O)</pre>
</html>
--------------4E918131C9B66C86068C1D92--