[Zope-dev] permission inheritance from conflicting groups

Stephan Richter srichter at cosmos.phy.tufts.edu
Tue Jun 10 09:34:11 EDT 2008


On Monday 09 June 2008, Daniel Blackburn wrote:
> It seems that there either may be an issue with Zope security or I do
> not understand it properly. Please let me know what you guys think.
>
> Lets say we have a principal with no direct permissions or roles
> assigned to see a view index.html. The principal has two groups,
> group1 and group2. group1 allows the principal to see index.html and
> group2 denys access to index.html. It seems to me that in this
> situation of conflicting permissions a deny permission should result
> for the principal to the index view. However it does not, the
> permission will be digested into allowing the principal to have access
> to the view. Is this the desired behavior, or just simply overlooked.
> I looked in the doctests and did not see anything like this. Any
> feedback would be appreciated.

I would epxect the order of the groups to matter and simply the setting that 
is found last wins. This is a third possible behavior that mimics Python's 
inheritance behavior.

Regards,
Stephan
-- 
Stephan Richter
Web Software Design, Development and Training
Google me. "Zope Stephan Richter"


More information about the Zope-Dev mailing list