[Zope-dev] permission inheritance from conflicting groups

Daniel Blackburn blackburnd at gmail.com
Mon Jun 9 21:38:40 EDT 2008


It seems that there either may be an issue with Zope security or I do
not understand it properly. Please let me know what you guys think.

Lets say we have a principal with no direct permissions or roles
assigned to see a view index.html. The principal has two groups,
group1 and group2. group1 allows the principal to see index.html and
group2 denys access to index.html. It seems to me that in this
situation of conflicting permissions a deny permission should result
for the principal to the index view. However it does not, the
permission will be digested into allowing the principal to have access
to the view. Is this the desired behavior, or just simply overlooked.
I looked in the doctests and did not see anything like this. Any
feedback would be appreciated.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope-dev/attachments/20080609/5d7d0801/attachment.html


More information about the Zope-Dev mailing list