Re: [Zope] Re: restricting permissions for direct access only

2006-02-17 Thread Chris Withers
Michael Shulman wrote: I don't understand what inheriting proxy roles from callers has to do with allowing users to access protected resources above their user folders. They seem like totally different questions to me. Could you please explain? Nothing, different threads, crossed wires,

Re: [Zope] Re: restricting permissions for direct access only

2006-02-16 Thread Chris Withers
Tres Seaver wrote: The prior behavior (allowing users to access protected resources above the domain of their user folders) was a security hole caused by a bug, and was never documented as allowable: correcting it was a matter for a rather urgent fix, as it broke the explicitly-documented

Re: [Zope] Re: restricting permissions for direct access only

2006-02-16 Thread Chris Withers
David wrote: I just disagree. If theres a paranoia with the standard set of roles then prevent *those* from upward acquisition. But if I add a role *specifically* so it can access a common code pool, Security is hard enough as it is, special cases like this are something that Zoep 2 has