[Zope-dev] Security Strangeness

Johan Carlsson johanc@torped.se
Sun, 23 Jul 2000 01:36:49 +0200


Hi all,
I notised some strange behavior in the way Zope User Folders works.

First, you can't delegate the permissionto add and delete user except 
by assigning the user the role "manager".
IMHO this is to limiting.

Second, if you give a user the permission to Change Persmissions, that
user can change permissions that she doesn't have the right to manage
in the first place. In that way she can upgrade here permissions. 
That's no good.

Best Regards,
Johan Carlsson