[Zope] Security augmenting not happening
Dieter Maurer
dieter@handshake.de
Tue, 17 Jul 2001 23:51:07 +0200 (CEST)
Blandford, Simon [BSS Audio UK] writes:
> I am trying to make a folder and it's contents viewable only by a manager.
> So in the Security tab, I de-select the inherited "View" box and enable it
> only in the Manager column.
>
> This worked until I changed the owner of the folder and it's contents to
> being an Owner. In theory, a manger should still have full access to just
> about everything, but no, not even a mighty manager can view what's in the
> folder.
This is by purpose, to prevent Trojan Horse attacks.
The effective permissions are the intersection of what the
current user and the owner can do.
Read the Zope 2.2 security paper to understand why this is
implemented.
Dieter