[Zope] Re: [Exuserfolder-users] Problem with permission

Leonardo Rochael Almeida leo@hiper.com.br
10 Jan 2003 17:13:45 -0200


On Fri, 2003-01-10 at 16:01, Dieter Fischer wrote:
> Hello

Hi,

> I've got a permission problem in Zope. I don't know if it is a Zope or an
> exUserFolder issue, so I'm posting to both lists.

And breaking the no-crossposting rule.

> The point is, that I've a "Z SQL Method", and the user has the role which is
> allowed to do anything with this object. But I can only execute it when I
> give "Use Database Methods" to "Anonymous", what I realy don't like to do.
> If I don't give the permission to "Anonymous", the login box always appears.

The symptoms might indicate a case of "disowned-object".

For security reasons, a Zope object is executed only if both the owner
of the object and the current viewer both have the permission to execute
the object. This prevents privilege elevation bugs.

What you're experiencing sounds like the owner of the ZSQLMethod was
deleted or lost it's roles.

If this is your problem, you can solve it like this:

* With a Manager user of the root acl_users, visit the "security" tab of
the ZSQLMethod

    - Give the "Take ownership" permission to the Manager role
    
    - click on the "local roles" link in the first paragraph and give
    the "Owner" local-role to this user

* Then go to the "Ownership" tab of this ZSQLMethod and click on the
"Take ownership" button

* Go to the "security" tab and Remove the "Take ownership" role of the
Manager user or you'll be exposed to "privilege elevation bugs"

Cheers, Leo

-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.