[Zope] Re: restricting permissions for direct access only

Tres Seaver tseaver at palladion.com
Thu Feb 16 09:55:05 EST 2006

Hash: SHA1

Chris Withers wrote:
> Tres Seaver wrote:
>> The prior behavior (allowing users to access protected resources "above"
>> the domain of their user folders) was a security hole caused by a bug,
>> and was never documented as allowable:  correcting it was a matter for a
>> rather urgent fix, as it broke the explicitly-documented model.
> I don't think that's what Michael and I were commenting on...

Sorry I misread -- I thought this was the "I used to be able to acquire
protected resources" window. ;)

> IIRC, if you had scripta calling scriptb, you used to be able to give
> scripta a proxy role and scriptb would also execute with that role.
> However, again IIRC, in current Zope releases, if you give scripta a
> proxy role, when it calls scriptb, scriptb will just run with the roles
> of the current user.
> Have I got this right? If so, I wonder why the change was made...

The only change I recall to how proxy roles work is that proxy roles
used to *augment* a users' roles;  now they *replace* them.

I don't know that the case you are talking about (S1 has proxy roles,
calls protected S2 fine, but fails when calling PR-less S3 which calls
S2) ever worked under either scenario.  Proxy roles have always only
been checked for the "topmost" object on the executable stack (S1 in the
first example, S2 in the second).

- --
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the Zope mailing list