[Zope] Zope and roles and hierarchy

Kees de Brabander cj.de.brabander at hccnet.nl
Mon Feb 13 16:47:17 EST 2006


----- Original Message ----- 
From: "Lennart Regebro" <regebro at gmail.com>
To: "Kees de Brabander" <cj.de.brabander at hccnet.nl>
Cc: "zope user list" <zope at zope.org>
Sent: Saturday, February 11, 2006 2:25 PM
Subject: Re: [Zope] Zope and roles and hierarchy


On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> f1 (folder, acquisition of view permission disabled, and granted again to
> all roles except Anonymous)
>     f1_index (dtml-method)
>     f11 (folder)
>         acl_users (user folder)
>             user1 (user object with user defined 'student' role)
>         index_html (dtml-method calling f1_index)
>
> when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you
will
> get the page, but in 2.7.8 you are not authorized.

Ah, OK, you are not calling it directly. Yes, that may be one of the
security holes that was patched up in 2.7.4 I think. The solution is
easy: Give index_html a proxy role. In this case "Authenticated" is
enough. f1_index itself if you call it directly will not be
accessible, and that's how it has to be.

[cb] And what are my options if I want to call f1_index directly from f11?
cb



More information about the Zope mailing list