[Zope-dev] permission inheritance from conflicting groups

Zvezdan Petkovic zvezdan at zope.com
Tue Jun 10 09:52:23 EDT 2008 

On Jun 9, 2008, at 9:38 PM, Daniel Blackburn wrote:

> It seems that there either may be an issue with Zope security or I do
> not understand it properly. Please let me know what you guys think.

It seems you misunderstood it.

> Lets say we have a principal with no direct permissions or roles
> assigned to see a view index.html. The principal has two groups,
> group1 and group2. group1 allows the principal to see index.html and
> group2 denys access to index.html. It seems to me that in this
> situation of conflicting permissions a deny permission should result
> for the principal to the index view. However it does not, the
> permission will be digested into allowing the principal to have access
> to the view. Is this the desired behavior, or just simply overlooked.
> I looked in the doctests and did not see anything like this. Any
> feedback would be appreciated.

Here's a scenario from the real world.

You start working in a company.  The security team puts you in a group  
of regular employees so that when you swipe you card at the card  
readers in front of each door you are allowed to rooms A, B, and C,  
but explicitly denied access to rooms D, E, and F.

After a while you are promoted to a special team.  The security team  
adds you to that group.  Now when you swipe your card at the door D,  
the computer checks the following.

- Read your employee ID from the card.
- Get the groups that employee ID belongs to.
	- Regular employee group
		- Cannot access door D
	- Special team group
		- Can access door D
- Employee ID belongs to at least one group that can access this door.
- Open the door.

The door F will be open only to a member of the security team (group).

This is equivalent to the old times when they give you a key when you  
start working.  That key does not let you in all rooms.
After a while, you are promoted, which really means that you are in a  
special group.  They give you another key.  That one lets you in one  
more room.

Can you access that room?
Not with the first key.
How about the second?

More information about the Zope-Dev mailing list