[Zope] weird, zpt security problem?

[Dieter Maurer]

Lennart Regebro writes:
 > From: "Phil Harris" <phil@harris-family.info>
 > > To sum up:
 > >
 > > If Manager is denied either of the 'Access Contents Information' or 'View'
 > > permissions then other users will not be able to gain access to properties
 > > of objects even when they have the correct permissions to do so.
 > 
 > Sounds like a bug. Enter it into the collcetor (collector.zope.org) so it
 > won't get lost.
 > (Not that it will actually get *fixed* that way, but still).
It's probably not a bug but an effect of Zope's Trojan-horse protection:

  The effective permissions are the intersection of the user's permissions
  and that of the owner.

  Almost surely, the owner has only the Manager role and Manager does
  not have the necessary permissions.


Dieter