[ZCM] [ZC] 444/ 2 Reject "Permission mapping partially ineffective"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Thu Apr 29 13:08:27 EDT 2004
Issue #444 Update (Reject) "Permission mapping partially ineffective"
Status Rejected, Zope/bug critical
To followup, visit:
http://collector.zope.org/Zope/444
==============================================================
= Reject - Entry #2 by Caseman on Apr 29, 2004 1:08 pm
Status: Pending => Rejected
ZClasses are not being actively maintained, so unless you provide a patch, it is not likely to be fixed.
________________________________________
= Request - Entry #1 by d.maurer on Jun 26, 2002 4:59 pm
Douwe (mailto:douwe at oberon.nl) reported:
... permission mapping has no effect for "manage_addProperty" inherited
from DTMLDocument ...
I analysed the problem:
Permission mappings defined in the ZClass' "Define Permissions" tab itself
(rather than that for a specific method/propertySheet)
are ineffective.
As a consequence, the permissions of inherited methods cannot be
remapped.
Permission mappings defined for specific methods or property sheets
are effective. Accesses to such a method or property sheet
are wrapped into an additional PM (Permission Mapper) acquisition wrapper
that takes care of the permission mapping. Such a wrapper is missing
for ZInstance accesses.
This is a potential security breach, as anticipated protections
expressed via a permission mapping is not effective.
Workaround:
If the permission mapping has the aim to restrict a permission,
there is no work around.
If the permission should be extended, a wrapper method can be defined
that calls the original method. Its "View" permission is mapped
to the desired target permission. It gets a proxy role such that
it is able to call the original method.
See mailing list archives of zope at zope.org
for details: [Zope] ZClass and Permissions
==============================================================
More information about the Zope-Collector-Monitor
mailing list