Issue #'s 78, 846, 1125 all relate to checkPermission not considering proxy roles. #78 was resolved, however, from the looks of the code (and I haven't tested this), it will fail to Cut/Paste because the 'Delete objects' perm would be permitted by the proxy role which is not considered in the checkPermission. Anyway, the question is this...
Why doesn't checkPermission consider proxy roles? I found the following discussion in Zope-CMF and it looks like this was "fixed" in CMF, but it seems to me like this should be the default policy behavior in Zope. We can do the patches if there's no reason for it being the way it is... Cheers, Tim ------------------------------------ begin quote Dieter Maurer wrote: > I think, we should have both possibilities: > > [1] check whether the real user would have the permission > (independent of proxy roles) > > [2] check whether the current context has the permission > (dependent on the current proxy roles and other > execution security aspects (such as ownership)) I'd like to replace utils._checkPermission in CMF HEAD with the attached code. This would change the behavior of _checkPermission from [1] to [2]. (If I didn't make a mistake.) The way utils._checkPermission is used in CMF implies possibility [2] would be the right behavior, the fact it implemented [1] looks like a bug to me. I don't know of any code that'll break if we switch to [2]. I can see there might be a need for [1]. But in this case you can use Zope's checkPermission method. If there are no objections I'll soon make a CVS checkin of the attached code. Cheers, Yuppie ----------------------------------- -- Tim McLaughlin Chief Technology Officer Siteworx, Inc. Innovative internet solutions. 703.964.0300 ext. 208 _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )