-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bruno modulix wrote:

> Dieter, I didn't misunderstood your proposed solution. But some users
> exist in different CPMs with different roles in each CPM. So - unless
> I'm totally at lost with how Zope's security works - if User1 has role
> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
> any CPM could gain access to any other CPM just by faking url.

The Zope security machinery goes out of its way to prevent such an
exploit:  essentially, it considers only "containment" acquisition when
evaluating roles, etc.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDPTZA+gerLs4ltQ4RApDKAKC60CDyD0rIdCN/CC8dMmPbreeAKACZAUB3
cX01OZuxOaIL1hNnXS1NxrI=
=VlQo
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to