[Zope] Stock User Folders - Who can add a user?

Oleg Broytmann Oleg Broytmann <phd@phd.fep.ru>
Tue, 22 May 2001 23:56:24 +0400 (MSD)


On Tue, 22 May 2001, Astheimer, David (GXS) wrote:
> Which permission is required to allow a person to add/change/delete items
> in the standard User Folder? Granting the manager role to a person seems to
> do the trick. However, I'd like to open the User Folder to "lesser admins"
> who
> do not need full manager rights, but do need to add folks and dole out
> roles.

   Don't you see a trap here? :)

   See, your "lesser mnager" can add users. Well, she adds a user... with
mnagement rights! And immediatly login as this user!!!

   If a person can mange users, she can get manager rights. So why not give
them anyway, without forcing them to cheat? :)

   To developer: IWBN if the user who can add users would allowed to set
roles not higher than its own roles, wouldn't it?

Oleg.
----
     Oleg Broytmann     http://www.zope.org/Members/phd/     phd@phd.pp.ru
           Programmers don't die, they just GOSUB without RETURN.