[Zope] Re: restricting permissions for direct access only
Chris Withers
chris at simplistix.co.uk
Thu Feb 16 03:27:43 EST 2006
Tres Seaver wrote:
> The prior behavior (allowing users to access protected resources "above"
> the domain of their user folders) was a security hole caused by a bug,
> and was never documented as allowable: correcting it was a matter for a
> rather urgent fix, as it broke the explicitly-documented model.
I don't think that's what Michael and I were commenting on...
IIRC, if you had scripta calling scriptb, you used to be able to give
scripta a proxy role and scriptb would also execute with that role.
However, again IIRC, in current Zope releases, if you give scripta a
proxy role, when it calls scriptb, scriptb will just run with the roles
of the current user.
Have I got this right? If so, I wonder why the change was made...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list