[SECURITY] permission mapping ineffective (was: [Zope] ZClass and Permissions)

Dieter Maurer dieter@handshake.de
Tue, 25 Jun 2002 23:33:30 +0200


Douwe reported a problem that in his ZClass the permission "Manage properties"
is mapped to "Add XXX" but a role with "Add XXX" permission is unable
to manage properties.

I analysed this problem:

  *  The ZClass instance contains a correct "_permissionMapper" object.

  *  When the permission "Manage properties" is resolved for a 
     ZInstance, "ImPermissionRole" looks for
     "_Manage_properties_Permission". When it finds an
     attribute with this name and a string value, then it interprets
     this as a permission mapping and continues to look for this
     new permission.

  *  In Douwes example, the ZInstance does not contain any
     "_Manage_properties_Permission", neither itself nor
     acquired nor its class. The class' permission mapping is ineffective
     for the ZInstance.

I do not yet understand what happens here.
Normally, I would say, that permission mappings are ineffective
altogether. But, I saw lots of cases where the permission mapping
was very effective.

I will continue the investigation in the next few days...


Dieter