[Zope] security quickie

Manuel Amador (Rudd-O) amador@alomega.com
Tue, 17 Oct 2000 00:31:32 -0500


--------------4E918131C9B66C86068C1D92
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I too have a doubt about security stuff.

It so happens that I have this setup

rootfolder
+   myfolderobjects
      +    inheritedstuff

i have an user X in root folder.  Roles are so that anonymous doesn't have
permission for anything.   Then, there is a user role, that is allowed some
stuff, and i assign local role of User to X into Inheritedstuff.  He now can
see index_html.  I proxy-role index_html to the User role
so i can <dtml-var somestuff> that is into myfolderobjects, being somestuff a
DTMLmethod.

It works.  X can access index_html which in turn includes somestuff from its
parent folder, and I did not have to give him explicit rights to any of the
objects into myfolderobjects


BUT, if I try to <dtmlvar somesqlmethod>, it won't work.  Note that the User
role does have permission to run SQL methods.

That's in my point of view, a mistake in Zope's security policy.  If i
proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.

Please help or tip.  Thanks =)


Seb Bacon wrote:

> Does Zope security provide a way of restricting what objects are listed to
> an authenticated user inside the Zope 'manage' interface?  I'm getting my
> head all twisted up over this security / proxy roles /local roles lark.
>
> Thanks, seb
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

--
Manuel Amador (Rudd-O)



--------------4E918131C9B66C86068C1D92
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
I too have a doubt about security stuff.
<p>It so happens that I have this setup
<p>rootfolder
<br>+&nbsp;&nbsp; myfolderobjects
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +&nbsp;&nbsp;&nbsp; inheritedstuff
<p>i have an user X in root folder.&nbsp; Roles are so that anonymous doesn't
have permission for anything.&nbsp;&nbsp; Then, there is a user role, that
is allowed some stuff, and i assign local role of User to X into Inheritedstuff.&nbsp;
He now can see index_html.&nbsp; I proxy-role index_html to the User role
<br>so i can &lt;dtml-var somestuff> that is into myfolderobjects, being
somestuff a DTMLmethod.
<p>It works.&nbsp; X can access index_html which in turn includes somestuff
from its parent folder, and I did not have to give him explicit rights
to any of the objects into myfolderobjects
<br>&nbsp;
<p>BUT, if I try to &lt;dtmlvar somesqlmethod>, it won't work.&nbsp; Note
that the User role does have permission to run SQL methods.
<p>That's in my point of view, a mistake in Zope's security policy.&nbsp;
If i proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.
<p>Please help or tip.&nbsp; Thanks =)
<br>&nbsp;
<p>Seb Bacon wrote:
<blockquote TYPE=CITE>Does Zope security provide a way of restricting what
objects are listed to
<br>an authenticated user inside the Zope 'manage' interface?&nbsp; I'm
getting my
<br>head all twisted up over this security / proxy roles /local roles lark.
<p>Thanks, seb
<p>_______________________________________________
<br>Zope maillist&nbsp; -&nbsp; Zope@zope.org
<br><a href="http://lists.zope.org/mailman/listinfo/zope">http://lists.zope.org/mailman/listinfo/zope</a>
<br>**&nbsp;&nbsp; No cross posts or HTML encoding!&nbsp; **
<br>(Related lists -
<br>&nbsp;<a href="http://lists.zope.org/mailman/listinfo/zope-announce">http://lists.zope.org/mailman/listinfo/zope-announce</a>
<br>&nbsp;<a href="http://lists.zope.org/mailman/listinfo/zope-dev">http://lists.zope.org/mailman/listinfo/zope-dev</a>
)</blockquote>

<pre>--&nbsp;
Manuel Amador (Rudd-O)</pre>
&nbsp;</html>

--------------4E918131C9B66C86068C1D92--