[Zope] Managing permissions & Security

Samir Mishra SamirMishra@cbuae.gov.ae
Wed, 26 Feb 2003 13:48:13 +0400 

Hello all,

Hoping for some help on permissions & security.

I have a root folder defined as UserFolder. Within UserFolder, I've defined
3 additional roles of FolderManager, Author & Reviewer. None of the
permissions are acquired from parent, Author, Reviewer & FolderManager roles
have appropriate explicit permission settings. Manager has been granted ALL
permissions. FolderManager has been granted only the following permissions
(below) -

  Access Transient Objects                
  Access arbitrary user session data                
  Access contents information                
  Add Folders
  Access session data                
  Add Forum posting                
  Add MetaEntrys                
  Add User Folders                
  Change ExtFile/ExtImage                
  Change Local File System properties                
  Change MetaPublisher                
  FTP access                
  List folder contents                
  Log Site Errors                
  Mail forgotten password                
  Manage users                
  MetaPublisher: Add Entry                
  MetaPublisher: Edit Entry                
  MetaPublisher: List Entries                
  MetaPublisher: Manage                
  MetaPublisher: Search Entries                
  Overwrite local files                
  Query Vocabulary
  Set Own Password                
  View                
  View Forum                
  View management screens                
  query               

No "local roles" have been defined.

What I'm trying to do is create a user within the UserFolder who has
permission to grant access to other users from the management screen. I.e.,
the FolderManager should be able to grant access to other users as either
(Authenticated, Author, Reviewer) by updating the User Folder with
additional usernames. 

The problem I'm having is that I find the FolderManager can create a user
with a role of "Manager' and this user will then have the ability to change
any of the permissions - permissions not originally available to
FolderManager.

Question - 
1) how do I allow the FolderManager to create users with ONLY one of the
following roles - Authenticated, Author, Reviewer - and exclude them from
creating users with the Manager role? Can this be done through the normal
management views?
2) Is there a better way of achieving this - creating a user within a folder
who has the ability to add/delete users in other roles, but cannot assign
themselves to any other role but of FolderManager?


If any of the above is confusing PLEASE let me know, as I'm in a real twist
over how to change this behaviour.

Thanks in advance.

Regards,
Samir.