[Zope] weird, zpt security problem?
Dieter Maurer
dieter@handshake.de
Mon, 8 Apr 2002 18:40:34 +0200
Lennart Regebro writes:
> From: "Phil Harris" <phil@harris-family.info>
> > To sum up:
> >
> > If Manager is denied either of the 'Access Contents Information' or 'View'
> > permissions then other users will not be able to gain access to properties
> > of objects even when they have the correct permissions to do so.
>
> Sounds like a bug. Enter it into the collcetor (collector.zope.org) so it
> won't get lost.
> (Not that it will actually get *fixed* that way, but still).
It's probably not a bug but an effect of Zope's Trojan-horse protection:
The effective permissions are the intersection of the user's permissions
and that of the owner.
Almost surely, the owner has only the Manager role and Manager does
not have the necessary permissions.
Dieter