[Zope] proxy roles don't get passed down a method call chain?
Chris Withers
chris at simplistix.co.uk
Fri Feb 17 04:29:29 EST 2006
Tres Seaver wrote:
>> IIRC, if you had scripta calling scriptb, you used to be able to give
>> scripta a proxy role and scriptb would also execute with that role.
>> However, again IIRC, in current Zope releases, if you give scripta a
>> proxy role, when it calls scriptb, scriptb will just run with the roles
>> of the current user.
>>
>> Have I got this right? If so, I wonder why the change was made...
>
> The only change I recall to how proxy roles work is that proxy roles
> used to *augment* a users' roles; now they *replace* them.
Yeah, I wonder if that means if you give it a proxy role of manager, it
looses all other roles?
> I don't know that the case you are talking about (S1 has proxy roles,
> calls protected S2 fine,
Okay, S2 here is "some permission-protected method where the current
user doesn't have the required permission"...
> but fails when calling PR-less S3 which calls
> S2) ever worked under either scenario.
Oh well, I could have sworn it did at one point :-/
> Proxy roles have always only
> been checked for the "topmost" object on the executable stack (S1 in the
> first example, S2 in the second).
Is it something worth adding as a feature request or are there security
implications I'm missing?
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list