[BUG] Permission mapping partially ineffective (was:[Zope] ZClass and Permissions)
Dieter Maurer
dieter@handshake.de
Wed, 26 Jun 2002 22:59:56 +0200
Douwe (mailto:douwe@oberon.nl) reported:
... permission mapping has no effect for "manage_addProperty" inherited
from DTMLDocument ...
I analysed the problem:
Permission mappings defined in the ZClass' "Define Permissions" tab itself
(rather than that for a specific method/propertySheet)
are ineffective.
As a consequence, the permissions of inherited methods cannot be
remapped.
Permission mappings defined for specific methods or property sheets
are effective. Accesses to such a method or property sheet
are wrapped into an additional PM (Permission Mapper) acquisition wrapper
that takes care of the permission mapping. Such a wrapper is missing
for ZInstance accesses.
This is a potential security breach, as anticipated protections
expressed via a permission mapping is not effective.
Workaround:
If the permission mapping has the aim to restrict a permission,
there is no work around.
If the permission should be extended, a wrapper method can be defined
that calls the original method. Its "View" permission is mapped
to the desired target permission. It gets a proxy role such that
it is able to call the original method.
Dieter