[Zope] CopySupport methods permissions - do they make sense?
David Kankiewicz
kankie@thegrid.net
Thu, 04 Nov 1999 09:08:36 -0900
Dave Parker wrote:
>
> I'm doing a site that allows membership. When users sign up, I create a
> folder with an acl_users folder and a user for them. All the folder/user
> creation happens as an anonymous user, which should be ok 'cause the
> only way they can do these things is via my logic.
>
> Problem is, I'd also *like* to copy or clone a index_html page into the
> user's new folder.
>
What you want is under the Proxy management tab.
setup a role, in the "security" tab, that as "View management screens"
and goto the proxy tab in the method or document and select the role you
created, press "change".
Remember that this is a security hole if you accept parameters in that
method, basically keep it to the point and simple.
> What I think I've found, however, is that pretty much all of the methods
> in OFS/CopySupport.py require "View management screens" permissions in
> order to do copy/clone operations. Delete operations, on the other
> hand, have their own permission setting. Does this make sense? I
> really don't want to have to turn on "View management screens" for
> anonymous users, and I don't think I should have to just to use
> copy/clone methods.
>
> IMHO the copy operations should have their own seperate permission as
> delete does. What do you think?
I think they should but the above works for now. Maybe someone can think
about it and put up a proposal :)
>
> As a completely seperate aside, it'd be nice if, when access fails due
> to permissions, Zope would report on just what sort of permission would
> be required in order to accomplish the operation in question. As it
> stands it's an easter egg hunt and it's not too fun.
Submit that to the collector if its not already in there.
Regards,
David
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> No cross posts or HTML encoding!
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )