[Zope-CMF] Securing CMF with Page Templates

Kent Polk kent@goathill.org
Fri, 12 Apr 2002 17:09:27 -0500 (CDT)


Dieter Maurer wrote:
> Kent Polk writes:
>  > Have you turned off 'Acquire permission settings' for 'view' to
>  > that object, allowed view permission only for a User defined role,
>  > and then logged in as a user who has that role (or set via local
>  > roles) and then tried to access the file/size for that object from
>  > outside of that object?
> No, I did not.
> 
>  > It fails every time for me.
> And it might be right:
> 
>   The effective permissions are the intersection
>   of those that both the executing user and the owner of the
>   executing script have.
> 
>   If the owner has no longer "View" permission, then even when
>   the executing user has, he will not be allowed to view.
> 
>   This is Zope's Trojan Horse protection...

Actually, I oversimplified the case a tiny bit (didn't know that
it would matter). The owner does have view permissions but is the
only other role that does, so the case still appears the same here.

I didn't know about this particular restriction.  Are there any
others that would come into play here?