[SECURITY] permission mapping ineffective (was: [Zope] ZClass and Permissions)
Dieter Maurer
dieter@handshake.de
Tue, 25 Jun 2002 23:33:30 +0200
Douwe reported a problem that in his ZClass the permission "Manage properties"
is mapped to "Add XXX" but a role with "Add XXX" permission is unable
to manage properties.
I analysed this problem:
* The ZClass instance contains a correct "_permissionMapper" object.
* When the permission "Manage properties" is resolved for a
ZInstance, "ImPermissionRole" looks for
"_Manage_properties_Permission". When it finds an
attribute with this name and a string value, then it interprets
this as a permission mapping and continues to look for this
new permission.
* In Douwes example, the ZInstance does not contain any
"_Manage_properties_Permission", neither itself nor
acquired nor its class. The class' permission mapping is ineffective
for the ZInstance.
I do not yet understand what happens here.
Normally, I would say, that permission mappings are ineffective
altogether. But, I saw lots of cases where the permission mapping
was very effective.
I will continue the investigation in the next few days...
Dieter