[BUG] Permission mapping partially ineffective (was:[Zope] ZClass and Permissions)

Dieter Maurer dieter@handshake.de
Wed, 26 Jun 2002 22:59:56 +0200


Douwe (mailto:douwe@oberon.nl) reported:
  ... permission mapping has no effect for "manage_addProperty" inherited
  from DTMLDocument ...

I analysed the problem:

  Permission mappings defined in the ZClass' "Define Permissions" tab itself
  (rather than that for a specific method/propertySheet)
  are ineffective.

  As a consequence, the permissions of inherited methods cannot be
  remapped.
  
  Permission mappings defined for specific methods or property sheets
  are effective. Accesses to such a method or property sheet
  are wrapped into an additional PM (Permission Mapper) acquisition wrapper
  that takes care of the permission mapping. Such a wrapper is missing
  for ZInstance accesses.

This is a potential security breach, as anticipated protections
expressed via a permission mapping is not effective.


Workaround:

  If the permission mapping has the aim to restrict a permission,
  there is no work around.

  If the permission should be extended, a wrapper method can be defined
  that calls the original method. Its "View" permission is mapped
  to the desired target permission. It gets a proxy role such that
  it is able to call the original method.
  

Dieter