From: "Chris McDonough" <[EMAIL PROTECTED]>
> On Mon, 4 Sep 2000, Chris Withers wrote:
> > Well, okay, let me rephrase the question:
> > Why is it bad for the bootstrap user to own anything?
> > It used to be considered okay before Zope 2.2, so was has been
> > changed/discovered that makes this now such a bad idea that despite
> > loads of newbie pain and confusion, it's still worth while/necessary?
> I've got to say I agree with you here.  I'm still not 100% sure why the
> superuser or bootstrap user can't own anything.

It's due to a combination of the trojan horse issue and the sticky
authentication issue, I think.  You really don't want to be authenticated as
super very often, because while you are, if you visit a page someone else
wrote, they can make your browser do evil things to your site.  This is also
true of Managers, but less so.  Similarly, a page owned by non-super has
tighter permissions than one owned by the super would.

Ideally, people working in a site should be operating with the bare minimum
of privileges to get the job done.  The super should only be called in when
no one else can fix it.


Evan @ digicool & 4-am

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to