Re: [Zope] Zope and roles and hierarchy
On 2/14/06, Kees de Brabander [EMAIL PROTECTED] wrote: But my subfolders are for different groups of users and I want to keep them apart (so I can throw them away with the subfolder, when their use has become obsolete). Well, you could use PluggableAuthService, and have them in different zodb_users plugins, I think. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
On 2/13/06, Kees de Brabander [EMAIL PROTECTED] wrote: [cb] And what are my options if I want to call f1_index directly from f11? Placing your acl_users folder higher up. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
But my subfolders are for different groups of users and I want to keep them apart (so I can throw them away with the subfolder, when their use has become obsolete). cb - Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: zope user list zope@zope.org Sent: Tuesday, February 14, 2006 11:33 AM Subject: Re: [Zope] Zope and roles and hierarchy On 2/13/06, Kees de Brabander [EMAIL PROTECTED] wrote: [cb] And what are my options if I want to call f1_index directly from f11? Placing your acl_users folder higher up. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
- Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: zope user list zope@zope.org Sent: Saturday, February 11, 2006 2:25 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/11/06, Kees de Brabander [EMAIL PROTECTED] wrote: f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index) when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized. Ah, OK, you are not calling it directly. Yes, that may be one of the security holes that was patched up in 2.7.4 I think. The solution is easy: Give index_html a proxy role. In this case Authenticated is enough. f1_index itself if you call it directly will not be accessible, and that's how it has to be. [cb] And what are my options if I want to call f1_index directly from f11? cb ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
Ok. This solves a long standing misconception on my part. Somehow I lived with the idea that the called object should have a proxy role and not the calling object. Stupid! Thanks. cb - Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: zope user list zope@zope.org Sent: Saturday, February 11, 2006 2:25 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/11/06, Kees de Brabander [EMAIL PROTECTED] wrote: By refering to 1.10 I did not intend to create the impression that I am very experienced. I am still just an average user and happy with that. But consider this use case: f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index) when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized. Ah, OK, you are not calling it directly. Yes, that may be one of the security holes that was patched up in 2.7.4 I think. The solution is easy: Give index_html a proxy role. In this case Authenticated is enough. f1_index itself if you call it directly will not be accessible, and that's how it has to be. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
Unaware of any security risks I used this feature from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8 cb - Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: David [EMAIL PROTECTED]; zope user list zope@zope.org Sent: Friday, February 10, 2006 2:49 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/10/06, Kees de Brabander [EMAIL PROTECTED] wrote: If so, couldn't we have some extra attribute to a role like upwardly mobile? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access). I second that. This used to be possible, at least up to zope 2.7.3. No, you don't have any rights above where you are created, because you don't exist there and hence you can not be validated. Implementing that would be complicated, unnecessary and most likely open up huge security holes. The loss of this feature makes the acquisition concept obsolete to some extent. There may be some difference and some feature which you lost between 2.7.3 and 2.7.8, especially since there was done a lot of security fixes, but the described functionality was not it, unless Zope 2.7.3 specifically had by mistake opened up this gaping security hole. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
On 2/11/06, Kees de Brabander [EMAIL PROTECTED] wrote: Unaware of any security risks I used this feature from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8 Admittedly, I didn't use 1.10, I only discovered Zope two months later, with 2.0.1. And I don't remember those details that far back. But at least in 2.4.0, this code was called when you did user.allowed(): def _check_context(self, object): # Check that 'object' exists in the acquisition context of # the parent of the acl_users object containing this user, # to prevent stealing access through acquisition tricks. # Return true if in context, false if not or if context # cannot be determined (object is not wrapped). parent = getattr(self, 'aq_parent', None) context = getattr(parent, 'aq_parent', None) if context is not None: if object is None: return 1 if not hasattr(object, 'aq_inContextOf'): if hasattr(object, 'im_self'): # This is a method. Grab its self. object=object.im_self if not hasattr(object, 'aq_inContextOf'): # Object is not wrapped, so return false. return 0 if object.aq_inContextOf(context, 1): return 1 # This is lame, but required to keep existing behavior. return 1 And hence, you can't have done this after Zope 2.4.0. So I still think you are talking about something else. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
By refering to 1.10 I did not intend to create the impression that I am very experienced. I am still just an average user and happy with that. But consider this use case: f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index) when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized. I have attached an export file with this setup. If you'd like to try, just give user1 a password of your liking and see for yourself. More importantly, however, how would one go about making available objects shared by many subfolders each with its own group of users? cb - Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: Kees de Brabander [EMAIL PROTECTED] Cc: David [EMAIL PROTECTED]; zope user list zope@zope.org Sent: Saturday, February 11, 2006 12:09 PM Subject: Re: [Zope] Zope and roles and hierarchy On 2/11/06, Kees de Brabander [EMAIL PROTECTED] wrote: Unaware of any security risks I used this feature from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8 Admittedly, I didn't use 1.10, I only discovered Zope two months later, with 2.0.1. And I don't remember those details that far back. But at least in 2.4.0, this code was called when you did user.allowed(): [...] And hence, you can't have done this after Zope 2.4.0. So I still think you are talking about something else. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ f1.zexp Description: Binary data ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
On 2/11/06, Kees de Brabander [EMAIL PROTECTED] wrote: By refering to 1.10 I did not intend to create the impression that I am very experienced. I am still just an average user and happy with that. But consider this use case: f1 (folder, acquisition of view permission disabled, and granted again to all roles except Anonymous) f1_index (dtml-method) f11 (folder) acl_users (user folder) user1 (user object with user defined 'student' role) index_html (dtml-method calling f1_index) when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will get the page, but in 2.7.8 you are not authorized. Ah, OK, you are not calling it directly. Yes, that may be one of the security holes that was patched up in 2.7.4 I think. The solution is easy: Give index_html a proxy role. In this case Authenticated is enough. f1_index itself if you call it directly will not be accessible, and that's how it has to be. More importantly, however, how would one go about making available objects shared by many subfolders each with its own group of users? That depends very much on what type of objects it is and why you want that setup. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
- Original Message - From: David [EMAIL PROTECTED] To: zope user list zope@zope.org Sent: Friday, February 10, 2006 4:44 AM Subject: [Zope] Zope and roles and hierarchy Hello Zope, Is it true that even though a user Role like 'author' is defined at zope root that users defined lower in the hierarchy *also* with role 'author' cannot access objects at root with role 'author' and permissions of view and access? The online zope book seems to say so. If so, couldn't we have some extra attribute to a role like upwardly mobile? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access). I second that. This used to be possible, at least up to zope 2.7.3. Not any more in 2.7.8. The loss of this feature makes the acquisition concept obsolete to some extent. cb ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
On 2/10/06, Kees de Brabander [EMAIL PROTECTED] wrote: If so, couldn't we have some extra attribute to a role like upwardly mobile? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access). I second that. This used to be possible, at least up to zope 2.7.3. No, you don't have any rights above where you are created, because you don't exist there and hence you can not be validated. Implementing that would be complicated, unnecessary and most likely open up huge security holes. The loss of this feature makes the acquisition concept obsolete to some extent. There may be some difference and some feature which you lost between 2.7.3 and 2.7.8, especially since there was done a lot of security fixes, but the described functionality was not it, unless Zope 2.7.3 specifically had by mistake opened up this gaping security hole. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope and roles and hierarchy
Hello Zope, Is it true that even though a user Role like 'author' is defined at zope root that users defined lower in the hierarchy *also* with role 'author' cannot access objects at root with role 'author' and permissions of view and access? The online zope book seems to say so. If so, couldn't we have some extra attribute to a role like upwardly mobile? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access). David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope and roles and hierarchy
--On 9. Februar 2006 19:44:37 -0800 David [EMAIL PROTECTED] wrote: Hello Zope, Is it true that even though a user Role like 'author' is defined at zope root that users defined lower in the hierarchy *also* with role 'author' cannot access objects at root with role 'author' and permissions of view and access? The online zope book seems to say so. This is absolutely true (and clear since you are only authenticated on the level and below where your user account is defined). If so, couldn't we have some extra attribute to a role like upwardly mobile? (I want to share a code base for several folders sub-folders and I do not wanta to give it anonymous access). If you want to share something then make it available on a level where all related users have the necessary rights. -aj pgpz1TGXQMvex.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )