Unaware of any security risks I used this "feature" from zope 1.10.x on and
regularly upgrading my applications I had no problems until zope 2.7.8
----- Original Message ----- 
From: "Lennart Regebro" <[EMAIL PROTECTED]>
To: "Kees de Brabander" <[EMAIL PROTECTED]>
Cc: "David" <[EMAIL PROTECTED]>; "zope user list" <zope@zope.org>
Sent: Friday, February 10, 2006 2:49 PM
Subject: Re: [Zope] Zope and roles and hierarchy

On 2/10/06, Kees de Brabander <[EMAIL PROTECTED]> wrote:
> > If so, couldn't we have some extra attribute to a role like "upwardly
> > mobile"? (I want to share a code base for several folders sub-folders
> > and I do not wanta to give it anonymous access).
> >
> I second that. This used to be possible, at least up to zope 2.7.3.

No, you don't have any rights above where you are created, because you
don't exist there and hence you can not be validated. Implementing
that would be complicated, unnecessary and most likely open up huge
security holes.

> The loss of this feature makes the acquisition concept obsolete to some
> extent.

There may be some difference and some feature which you lost between
2.7.3 and 2.7.8, especially since there was done a lot of security
fixes, but the described functionality was not it, unless Zope 2.7.3
specifically had by mistake opened up this gaping security hole.

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to