[Zope] Python Script Security Question

Geir Bækholt Geir Bækholt
Wed, 30 Jul 2003 21:04:05 +0200


On  Wed, 30 Jul 2003 09:46:06 -0600 GMT (..17:46 where i live(GMT+2) )
Tom Nichols asked the Zope mailinglist about the following:
  
> I don't seem to understand the Security applied to a script. 
.....
> When another user who does not have the manager role runs the script
> that calls this one against the config object, this script fails becaus=
e
> the user does not have permission to do the manage_changeProperties
> call. 

> If I add 'manage properties' permission on the object config to a role
> this user has, then the script runs properly. 

> So it appears to me that the script runs with the user's permission
> rather than the owners' permission (which I expected). 

> Can anyone help me understand why the script doesn't run with its
> owners' (a manager) permission to manage properties?

a script is run with the lowest of the two : the owners and the user
executing it. If you want it to be able to run with more permissions
than the executing user has, you have to give the script a proxy-role.

the security chapter of the zope book (2.6 edition) has it all
described in detail :
http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx

:)

--
Geir Bækholt