By refering to 1.10 I did not intend to create the impression that I am very
experienced. I am still just an average user and happy with that. But
consider this use case:

f1 (folder, acquisition of view permission disabled, and granted again to
all roles except Anonymous)
    f1_index (dtml-method)
    f11 (folder)
        acl_users (user folder)
            user1 (user object with user defined 'student' role)
        index_html (dtml-method calling f1_index)

when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will
get the page, but in 2.7.8 you are not authorized.
I have attached an export file with this setup. If you'd like to try, just
give user1 a password of your liking and see for yourself.

More importantly, however, how would one go about making available objects
shared by many subfolders each with its own group of users?


----- Original Message ----- 
From: "Lennart Regebro" <[EMAIL PROTECTED]>
To: "Kees de Brabander" <[EMAIL PROTECTED]>
Cc: "David" <[EMAIL PROTECTED]>; "zope user list" <>
Sent: Saturday, February 11, 2006 12:09 PM
Subject: Re: [Zope] Zope and roles and hierarchy

On 2/11/06, Kees de Brabander <[EMAIL PROTECTED]> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on
> regularly upgrading my applications I had no problems until zope 2.7.8

Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did
And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.

Lennart Regebro, Nuxeo
CPS Content Management

Attachment: f1.zexp
Description: Binary data

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to