[Zope] Zope and roles and hierarchy

Kees de Brabander cj.de.brabander at hccnet.nl
Sat Feb 11 05:42:23 EST 2006


Unaware of any security risks I used this "feature" from zope 1.10.x on and
regularly upgrading my applications I had no problems until zope 2.7.8
cb
----- Original Message ----- 
From: "Lennart Regebro" <regebro at gmail.com>
To: "Kees de Brabander" <cj.de.brabander at hccnet.nl>
Cc: "David" <bluepaul at earthlink.net>; "zope user list" <zope at zope.org>
Sent: Friday, February 10, 2006 2:49 PM
Subject: Re: [Zope] Zope and roles and hierarchy


On 2/10/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> > If so, couldn't we have some extra attribute to a role like "upwardly
> > mobile"? (I want to share a code base for several folders sub-folders
> > and I do not wanta to give it anonymous access).
> >
> I second that. This used to be possible, at least up to zope 2.7.3.

No, you don't have any rights above where you are created, because you
don't exist there and hence you can not be validated. Implementing
that would be complicated, unnecessary and most likely open up huge
security holes.

> The loss of this feature makes the acquisition concept obsolete to some
> extent.

There may be some difference and some feature which you lost between
2.7.3 and 2.7.8, especially since there was done a lot of security
fixes, but the described functionality was not it, unless Zope 2.7.3
specifically had by mistake opened up this gaping security hole.

--
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/



More information about the Zope mailing list