[Zope] Re: Aquisition, UserFolder and security
Tres Seaver
tseaver at palladion.com
Fri Sep 30 08:57:36 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
bruno modulix wrote:
> Dieter, I didn't misunderstood your proposed solution. But some users
> exist in different CPMs with different roles in each CPM. So - unless
> I'm totally at lost with how Zope's security works - if User1 has role
> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
> any CPM could gain access to any other CPM just by faking url.
The Zope security machinery goes out of its way to prevent such an
exploit: essentially, it considers only "containment" acquisition when
evaluating roles, etc.
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDPTZA+gerLs4ltQ4RApDKAKC60CDyD0rIdCN/CC8dMmPbreeAKACZAUB3
cX01OZuxOaIL1hNnXS1NxrI=
=VlQo
-----END PGP SIGNATURE-----
More information about the Zope
mailing list