[Zope] Zope and roles and hierarchy

Kees de Brabander cj.de.brabander at hccnet.nl
Sat Feb 11 07:32:18 EST 2006


By refering to 1.10 I did not intend to create the impression that I am very
experienced. I am still just an average user and happy with that. But
consider this use case:

f1 (folder, acquisition of view permission disabled, and granted again to
all roles except Anonymous)
    f1_index (dtml-method)
    f11 (folder)
        acl_users (user folder)
            user1 (user object with user defined 'student' role)
        index_html (dtml-method calling f1_index)

when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will
get the page, but in 2.7.8 you are not authorized.
I have attached an export file with this setup. If you'd like to try, just
give user1 a password of your liking and see for yourself.

More importantly, however, how would one go about making available objects
shared by many subfolders each with its own group of users?

cb

----- Original Message ----- 
From: "Lennart Regebro" <regebro at gmail.com>
To: "Kees de Brabander" <cj.de.brabander at hccnet.nl>
Cc: "David" <bluepaul at earthlink.net>; "zope user list" <zope at zope.org>
Sent: Saturday, February 11, 2006 12:09 PM
Subject: Re: [Zope] Zope and roles and hierarchy


On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on
and
> regularly upgrading my applications I had no problems until zope 2.7.8

Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did
user.allowed():
[...]
And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.

--
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: f1.zexp
Type: application/octet-stream
Size: 1999 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20060211/87364331/f1-0001.obj


More information about the Zope mailing list