[Zope] Security issues

Steffen Ries steffen@cyberus.ca
Fri, 17 Sep 1999 07:58:10 -0400 (EDT)


Hi,

I had a little problem with setting the securities for a Zope
Product. I was able to solve it, but I'm not sure whether it's really a
'solution' or just a 'work around'.

What happened is the following:

I have a Zope Product which upon creation copies a template folder
(via manage_clone()) and afterwards changes the initial properties
with manage_changeProperties(). The code follows the example in the
Content Manager Guide.

If I use this Product as 'superuser', everything is fine. But I want
to delegate responsibility for the site to 'sub-managers' who don't
get the superuser password, but have their own and a local role of
'Manager' in their branch of the site.

After creating such an account, the new manager could create standard
items like images, etc. but could not use the templates
(Netscape complained with "Authorization failed. Retry?").

The problem is accessing the manage_changeProperties() method of the
cloned object, not manage_clone().

In order to fix that I changed the Proxy role of the constructor
method to 'Manager', after that it works as expected.

My questions:
- is this the right way to fix the problem?

- why does a 'Manager' get no access to manage_changeProperties() of a
  new object, but 'superuser' does?

- what are the 'security mappings' in the Product folder? (read this as:
  where can I find some documentation about these mappings?) What does
  it mean, if e.g. 'Add Folder' is mapped to '(disabled)'?

tia,
/steffen
-- 
steffen@cyberus.ca		<> Gravity is a myth -- the Earth sucks!

--8<--
offending code:
...
<dtml-with "manage_clone(content_folder,REQUEST['new_id'],REQUEST)">

<dtml-call "manage_changeProperties(title=REQUEST['title'])">

</dtml-with>
...