[Zope3-dev] security frustrations
Roger Ineichen
dev at projekt01.ch
Tue Aug 9 10:32:19 EDT 2005
Hi Martijn and Benji
> -----Original Message-----
> From: zope3-dev-bounces+dev=projekt01.ch at zope.org
> [mailto:zope3-dev-bounces+dev=projekt01.ch at zope.org] On
> Behalf Of Benji York
> Sent: Tuesday, August 09, 2005 4:13 PM
> To: zope3-dev (E-mail)
> Subject: Re: [Zope3-dev] security frustrations
>
> Martijn Faassen wrote:
> > * after object creation but before the object is added,
> > various things are done to the object.
> >
> > * authorization error: user cannot access various attributes.
>
> If these things are done by subscribers, would using trusted
> subscribers
> help?
> --
> Benji York
> Senior Software Engineer
> Zope Corporation
Remember that you don't have a location and check security
isn't possible if you use subscribers in this state and if
you use it together with a local PAU.
A created object before added to a container doesn't provide
the parent attribute which is requiered for security checks
correctly in local sites. Perhaps you can do this in the after
add event from the container where you add the object.
Regards
Roger Ineichen
Projekt01 GmbH
www.projekt01.ch
_____________________________
END OF MESSAGE
More information about the Zope3-dev
mailing list