[Zope] Zope and security.

Brian Lloyd Brian@digicool.com
Thu, 11 Nov 1999 11:23:06 -0500 

> It seems to me you cannot securely allow users access to the 
> "Security"
> tab in the management interface.  It's easy enough to shut 
> this off, but
> that does take away an awful lot of functionality.  Is this 
> an intended
> design, or is it a flaw in the Zope security model?

It is possible to do what you are asking (with a few caveats). 
Local roles let you give a user roles *only in the context of 
a particular object* rather than associating the roles directly 
with the user. The easiest way to accomplish what you are asking:

There is a predefined "Owner" role in Zope. When a user
creates an object, he/she is automatically given the 
local role "Owner" on that object. Lets say you want
to totally delegate control of the "Reports" area of your
site to Fred. First, create a "Reports" folder somewhere
on your site. Now go to the "Security" tab of the Folder
and click on "local roles" and give Fred the "Owner" local
role. Now, go up at least one folder (or even all the way 
to the top of the site) and on the "Security" screen give
the "Owner" role all of the permissions you want Folder
owners to have on their area (this can include the "Change
Permissions" permission too).

Now, Fred will have all of the permissions associated with
the "Owner" role - but only in _his_ Folder, where he has
the local role "Owner". In other words, he could see and 
use the "Security" tab in _his_ Folder, but if he went 
higher up in the site he couldn't (because he doesn't have
the local role "Owner" there).

Now the caveat: when you give someone the "Change permissions"
permission, you are effectively trusting him as a Manager in
his own area. Though he can't affect things outside his area,
it is not really possible to actually restrict what he can do
in his own area once you've given "Change permissions". This 
is because he is now free to give himself any permission he 
wants (in his own folder) if he doesn't already have it.

It is possible that this behavior could be modified in the 
future (by enforcing some rules whereby a user can only 
modify roles or permissions that he already has), but some
thought would need to go into this to be sure that there is 
a real need for it and that the behavior is well understood.

Hope this helps!


Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com