[Zope] Zope and roles and hierarchy
Lennart Regebro
regebro at gmail.com
Sat Feb 11 08:25:00 EST 2006
On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> By refering to 1.10 I did not intend to create the impression that I am very
> experienced. I am still just an average user and happy with that. But
> consider this use case:
>
> f1 (folder, acquisition of view permission disabled, and granted again to
> all roles except Anonymous)
> f1_index (dtml-method)
> f11 (folder)
> acl_users (user folder)
> user1 (user object with user defined 'student' role)
> index_html (dtml-method calling f1_index)
>
> when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will
> get the page, but in 2.7.8 you are not authorized.
Ah, OK, you are not calling it directly. Yes, that may be one of the
security holes that was patched up in 2.7.4 I think. The solution is
easy: Give index_html a proxy role. In this case "Authenticated" is
enough. f1_index itself if you call it directly will not be
accessible, and that's how it has to be.
> More importantly, however, how would one go about making available objects
> shared by many subfolders each with its own group of users?
That depends very much on what type of objects it is and why you want
that setup.
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope
mailing list