Velko Ivanov wrote:
Dmitry Vasiliev wrote:
Maybe we need always check security map at the root folder?
I don't believe this is the solution. Altrough it will solve my example,
it wouldn't help in other scenarios.
I would eventually make ZopeConnection and ZopeCursor locatable, if they
aren't already, and assign the database adapter as the parent of the
connection and the connection to the cursor at the time of their creation.
Actually I'm going to patch it like that right away.
ZopeConnection and ZopeCursor not only an objects without an location, see for
example '/++etc++process' so I think it is the UI grant tool problem. I'll post
an issue to the collector.
One last question, to clear things a bit for me, as I don't have a Zope3
copy here to try -
Imagine the user accesses some python class by the means of submiting a
form and that class needs to do some work with the database, so it
obtains a database connection, creates a cursor and executes some
queries. In this case, will the class access the connection with the
user's privileges, or is it trusted ?
If it is trusted, my problem here is not of so big importance, but if
not, I imagine zope.app.rdb needs some urgent updates.
I don't believe that I'm currently fully understand whole Z3's security system,
:-) but I think you can manage access rights through 'permission' attribute of
the form's ZCML directive. For instance in one of my projects there is a pages
which use a database connection with 'zope.Public' and 'zope.ManageContent'
Dmitry Vasiliev (dima at hlabs.spb.ru)
Zope3-dev mailing list