Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. 
Access to 'foobar' of (Folder instance at 932b600) denied. Access requires 
View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing 
script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles 
['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar (<dtml-call foobar>).
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get 
the above error.

I have the same problem with a really big Zope-Site where i have the remove 
from a specific user. The only solution i have found is to recreate the DTMLMethods, 
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)

Regards, as

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to