Unaware of any security risks I used this "feature" from zope 1.10.x on and regularly upgrading my applications I had no problems until zope 2.7.8 cb ----- Original Message ----- From: "Lennart Regebro" <[EMAIL PROTECTED]> To: "Kees de Brabander" <[EMAIL PROTECTED]> Cc: "David" <[EMAIL PROTECTED]>; "zope user list" <[email protected]> Sent: Friday, February 10, 2006 2:49 PM Subject: Re: [Zope] Zope and roles and hierarchy
On 2/10/06, Kees de Brabander <[EMAIL PROTECTED]> wrote: > > If so, couldn't we have some extra attribute to a role like "upwardly > > mobile"? (I want to share a code base for several folders sub-folders > > and I do not wanta to give it anonymous access). > > > I second that. This used to be possible, at least up to zope 2.7.3. No, you don't have any rights above where you are created, because you don't exist there and hence you can not be validated. Implementing that would be complicated, unnecessary and most likely open up huge security holes. > The loss of this feature makes the acquisition concept obsolete to some > extent. There may be some difference and some feature which you lost between 2.7.3 and 2.7.8, especially since there was done a lot of security fixes, but the described functionality was not it, unless Zope 2.7.3 specifically had by mistake opened up this gaping security hole. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
