[Zope] Puzzling security problem

Joel Burton jburton@scw.org
Fri, 13 Jul 2001 00:19:55 -0400 (EDT)


I have a puzzling security problem w/ZClasses.

I have two ZClasses:

  * JBookReviewer, a folderish class that holds JBooks

  * JBook, a book-review class w/properties and methods to display a book

The site is a book-reviewing site where individual people can become
members. I have the coding to allow people to join, become a reviewer,
etc. Where I'm having problems is w/ZClasses + ownership.

The folder structure is:

  /books           <- regular folder
    /reviewers     <-   "       "
      /joel        <- JBookReviewer
        /book1     <- JBook
          ...      <-   "
      /bob         <- JBookReviewer
        /book11    <- JBook

I want each to be able to manage her/his JBookReviewer properties and
books. Each user is already the owner of their JBookReviewer, so I thought
that I could use the "Owner" role of the Reviewer items.

Rather than having to change every Reviewer folder's security, I changed
the Security for /reviewers so that Owner role is allowed to view
management screens, update properties, etc.

Unfortunately, even though bob is the owner of Bob's JBookReviewer folder,
he's not able to manage it -- security denied.

Is there something different I need to do to handle owner privileges for
ZClasses?

Any pointers would be appreciated.

Thanks!

-- 
Joel Burton   <jburton@scw.org>
Director of Information Systems, Support Center of Washington