[Zope] Zope and roles and hierarchy

Kees de Brabander cj.de.brabander at hccnet.nl
Sat Feb 11 07:32:18 EST 2006

By refering to 1.10 I did not intend to create the impression that I am very
experienced. I am still just an average user and happy with that. But
consider this use case:

f1 (folder, acquisition of view permission disabled, and granted again to
all roles except Anonymous)
    f1_index (dtml-method)
    f11 (folder)
        acl_users (user folder)
            user1 (user object with user defined 'student' role)
        index_html (dtml-method calling f1_index)

when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will
get the page, but in 2.7.8 you are not authorized.
I have attached an export file with this setup. If you'd like to try, just
give user1 a password of your liking and see for yourself.

More importantly, however, how would one go about making available objects
shared by many subfolders each with its own group of users?


----- Original Message ----- 
From: "Lennart Regebro" <regebro at gmail.com>
To: "Kees de Brabander" <cj.de.brabander at hccnet.nl>
Cc: "David" <bluepaul at earthlink.net>; "zope user list" <zope at zope.org>
Sent: Saturday, February 11, 2006 12:09 PM
Subject: Re: [Zope] Zope and roles and hierarchy

On 2/11/06, Kees de Brabander <cj.de.brabander at hccnet.nl> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on
> regularly upgrading my applications I had no problems until zope 2.7.8

Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did
And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: f1.zexp
Type: application/octet-stream
Size: 1999 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20060211/87364331/f1-0001.obj

More information about the Zope mailing list