----- Original Message ----- 
From: "Chris Withers" <[EMAIL PROTECTED]>
To: "Kees de Brabander" <[EMAIL PROTECTED]>
Cc: <zope@zope.org>
Sent: Thursday, December 15, 2005 4:24 PM
Subject: Re: [Zope] user account defined outside context of object being

> Kees de Brabander wrote:
> > Unauthorized: Your user account is defined outside the context of the
> > being accessed.  Access to 'f1_index' of (Folder at /f1), acquired
> > (Folder at /f1/f11/f111), denied. Your user account, user1, exists at
> > /f1/f11/acl_users. Access requires one of the following roles:
> > ['Authenticated', 'Manager', 'Owner', 'student'].
> Looks like you were inadvertantly taking advantage of a security hole in
> Zope that got plugged. That said, your example was extremely complicated.

Well, that's life ;)

> Can you come up with as simple an example as possible so that we can
> maybe help you out?

I can't make the example more simple than I did.
I guess it boils down to the fact that a user defined in a user folder
somewhere farther down along a path cannot acquire objects higher up that
path when the acquisition of the view permission of that object or its
container is disabled and the view permission granted again to specific
roles. This was possible up to zope version 2.7.3, but not anymore from
2.7.8. Somewhere in between this was changed, but I could not find an
explicit reference. I used this construction a lot of times, so I have to
restructure several applications. I guess that's life as well.
Thanks anyway, cb

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to