[Zope] Re: Aquisition, UserFolder and security
Tres Seaver
tseaver at palladion.com
Fri Sep 30 09:01:30 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
bruno modulix wrote:
> Dieter, I didn't misunderstood your proposed solution. But some users
> exist in different CPMs with different roles in each CPM. So - unless
> I'm totally at lost with how Zope's security works - if User1 has role
> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
> any CPM could gain access to any other CPM just by faking url.
The Zope2 security machinery explicitly prevents such abuse by
considering only "containment" acquisition when evaluating local roles,
acquired permission maps, etc. It also insists that the user being
considered exist "in context of" the object being validated.
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDPTcq+gerLs4ltQ4RAuJKAJ0Y6z6iNRMuH7AgjVvF3rOI5FTFkQCfV5SU
zV03BmP/HeQa2KHVFhhHdrA=
=JmJp
-----END PGP SIGNATURE-----
More information about the Zope
mailing list