[Zope3-dev] Zope Policy x Grants
Gary Poster
gary at modernsongs.com
Thu Oct 30 21:04:36 EST 2003
If it's really necessary, I guess that's ok by me, anyway. Is there no
other way around this?
Stated more generally, is it true that, in order for an object to be
accessible to untrusted and/or security-aware code, they must implement
ILocation?
Gary
Sidnei da Silva wrote:
> Howdy,
>
> I identified the following issue today:
>
> If you grant a local role to a user, where this role has a given
> permission, and a vocabulary, for example, or something
> like that is protected by that permission, the user which was granted
> a local role will not be able to get to it. Why? Because in
> zope/app/security/zopepolicy.py, around line 153, we try to get the
> context roles using a LocationIterator, but is possible that some
> objects doesn't implement ILocation, like in this case
> SimpleVocabulary.
>
> I suggest making another version of SimpleVocabulary, which implements
> ILocation and put it in zope.app.schema.vocabulary, much like
> zope.publisher.browser.BrowserView x
> zope.app.publisher.browser.BrowserView.
>
> Anyone disagrees?
>
More information about the Zope3-dev
mailing list