[Zope-dev] Zope 2.2.0 alpha 1 released...

Brian Lloyd Brian@digicool.com
Tue, 16 May 2000 09:30:09 -0400


> > This release contains the new changes to the Zope security
> > model to protect against the server-side trojan issue:
> > 
> > http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan
> 
> Hmm.  Let's say an object is owned by user Joe.  I export the 
> object and
> reimport it in a different Zope installation, where Joe 
> doesn't exist.  Who
> owns the object?  nobody?

No - you do :) Importing is the moral equivalent of "creating"
the object. Whenever you create, copy, cut & paste or import 
you will get ownership of the resulting new object.

To me, the more hairy issue is what if Joe *does* exist in the
different Zope installation, and you *do* want Joe to continue
to have ownership? Currently, you must either arrange for Joe
to do the import (which will give him ownership directly), or
import it and use an external method to assign ownership (which
is a pain). One thing we've thought of is that perhaps superuser
(and only superuser) could be able to assign ownership through
a web interface, which could make this sort of thing a bit 
easier.

Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com