[ZCM] [ZC] 444/ 2 Reject "Permission mapping partially ineffective"

[Collector: Zope Bugs, Features, and Patches ...]

Issue #444 Update (Reject) "Permission mapping partially ineffective"
 Status Rejected, Zope/bug critical
To followup, visit:
  http://collector.zope.org/Zope/444

==============================================================
= Reject - Entry #2 by Caseman on Apr 29, 2004 1:08 pm

 Status: Pending => Rejected

ZClasses are not being actively maintained, so unless you provide a patch, it is not likely to be fixed.
________________________________________
= Request - Entry #1 by d.maurer on Jun 26, 2002 4:59 pm

Douwe (mailto:douwe at oberon.nl) reported:
  ... permission mapping has no effect for "manage_addProperty" inherited
  from DTMLDocument ...

I analysed the problem:

  Permission mappings defined in the ZClass' "Define Permissions" tab itself
  (rather than that for a specific method/propertySheet)
  are ineffective.

  As a consequence, the permissions of inherited methods cannot be
  remapped.
  
  Permission mappings defined for specific methods or property sheets
  are effective. Accesses to such a method or property sheet
  are wrapped into an additional PM (Permission Mapper) acquisition wrapper
  that takes care of the permission mapping. Such a wrapper is missing
  for ZInstance accesses.

This is a potential security breach, as anticipated protections
expressed via a permission mapping is not effective.


Workaround:

  If the permission mapping has the aim to restrict a permission,
  there is no work around.

  If the permission should be extended, a wrapper method can be defined
  that calls the original method. Its "View" permission is mapped
  to the desired target permission. It gets a proxy role such that
  it is able to call the original method.

See mailing list archives of zope at zope.org
for details: [Zope] ZClass and Permissions
==============================================================