[Zope3-dev] a note on groups and roles
Stuart Bishop
zen@shangri-la.dropbear.id.au
Sat, 6 Apr 2002 16:13:23 +1000
On Sunday, March 24, 2002, at 11:00 AM, Chris McDonough wrote:
> - Admins may not define a user or group in a place "above" a place
> that contains a user or group with the same identifier.
> (Preventing the common delegation problem in Zope 2 where
> a less-capable user is capable of "locking out" a more privileged
> user defined at a higher level by creating a user with the same
> identifier but a lighter set of privileges).
I think this would be better handled by locating the user by traversing
root down instead of context up. It is impossible to stop a user being
created, as this may be done from outside of Zope (by the Oracle DBA
using SQL/PLUS for example). There will always be the possiblilty of
username conflicts if we can use non ZODB authentication mechanisms.
--
Stuart Bishop <zen@shangri-la.dropbear.id.au>
http://shangri-la.dropbear.id.au/