[Zope] Proxy roles

Marcin Wudarczyk mar at mar.prv.pl
Sun Feb 1 07:39:56 EST 2004


Dieter Maurer wrote


> Marcin Wudarczyk wrote at 2004-1-29 20:48 +0100:
>>I have a question concerning proxy roles. The problem I have
>>encountered is that when I grant a proxy role to a script, other
>>scripts and templates called from that script do not posess that role.
>>Is it an error, should it be like that or am I doing something wrong?

> This is as it should be!

> When a called script needs special permissions, you
> must give it a proxy role, too.

Thank you for your anser.

I am new to Zope, but for me it seems to be not intuitive behaviour.
In the script having proxy role Manager I can do whatever I want, but
I cannot call a script not having proxy role and let him do it.

I think it would not compromise security if the roles were "inherited"
across function calls. But it may be useful, because I may put a more
general code, for example, for creating some kind of object, to one
script without proxy role to make unpriviledged users unable to create
the objects wherever they want and create a number of small scripts
with proxy role to create that objects in specific places.

The workararound is to grant that general script a proxy role and give
permission to execute it only to priviledged user. But this looks odd
for me, as the script that can be executed only by priviledged users
has to have a proxy role that grants it permissions of priviledged
user.

Regards

      Marcin Wudarczyk
      http://mar.prv.pl





More information about the Zope mailing list