[Zope] AW: [Zope] Problems with manage_clone

Rik Hoekstra rik.hoekstra@inghist.nl
Wed, 05 Apr 2000 11:09:06 +0200


a.wacknitz@francotyp.com wrote:
> 
> >
> > On Tue, 4 Apr 2000 a.wacknitz@francotyp.com wrote:
> > > manage_clone() is only allowed to managers. How can I
> > authorize a user
> > > without "AUTHENTICATED_USER.has_role('Manager')" to use
> > this method? I
> >
> > You want to give your method that calls manage_clone a "proxy" role
> > of manager.
> But isn't this a security hole? I don't want a user who guesses the name of
> the method to call the method with arbitrary parameters and do things he is
> not supposed to do...
>

That's why you have to put proper security on the method itself. If a
method has proxy roles, it just gives a user that uses it more
permissions than he has normally, by way of exception. THis does not
mean you have to open up the use of the particular method for anonymous
users...

Rik