[Zope] Zope security management

John R. Daily jdaily@progeny.com
Mon, 26 Feb 2001 13:21:18 -0500


I'm increasingly frustrated with the Zope security management
framework, and I'd like to know if there is a way to work around some
of my problems, and/or whether this will be addressed in the future.
Or, perhaps I'm looking at all this from the wrong perspective.

Essentially, I'd like a way to eliminate a role in certain
directories. For example, if anonymous users should be granted no
access to a "/private" folder, I want to lock down /private and all
sub-directories against anonymous access.

The only solutions I've found are inadequate. What I've found:

* At the root folder, find those permissions which are enabled for the
anonymous role, and remove them in /private by de-selecting the
"inherit permissions" checkbox and re-enable appropriate roles.

* In /private, de-select _all_ "inherit permissions" checkboxes and
re-enable appropriate roles.

The first is inadequate because of the lack of control over what
permissions are enabled for anonymous users at the root folder. If a
particular permission is added to the root folder the next day,
anonymous users now have a permission in /private which they should
not have.

The second, besides being extremely tedious and error-prone, removes
the flexibility of defining globally what permissions roles should
play across all of the server.

What am I missing?

--                                                                   --
John R. Daily                                        jdaily@progeny.com
Systems Programmer                                Progeny Linux Systems
		  Master of the ephemeral epiphany