By refering to 1.10 I did not intend to create the impression that I am very
experienced. I am still just an average user and happy with that. But
consider this use case:

f1 (folder, acquisition of view permission disabled, and granted again to
all roles except Anonymous)
    f1_index (dtml-method)
    f11 (folder)
        acl_users (user folder)
            user1 (user object with user defined 'student' role)
        index_html (dtml-method calling f1_index)

when calling .../f1/f11 and authenticating as user1 in zope 2.7.3, you will
get the page, but in 2.7.8 you are not authorized.
I have attached an export file with this setup. If you'd like to try, just
give user1 a password of your liking and see for yourself.

More importantly, however, how would one go about making available objects
shared by many subfolders each with its own group of users?

cb

----- Original Message ----- 
From: "Lennart Regebro" <[EMAIL PROTECTED]>
To: "Kees de Brabander" <[EMAIL PROTECTED]>
Cc: "David" <[EMAIL PROTECTED]>; "zope user list" <zope@zope.org>
Sent: Saturday, February 11, 2006 12:09 PM
Subject: Re: [Zope] Zope and roles and hierarchy


On 2/11/06, Kees de Brabander <[EMAIL PROTECTED]> wrote:
> Unaware of any security risks I used this "feature" from zope 1.10.x on
and
> regularly upgrading my applications I had no problems until zope 2.7.8

Admittedly, I didn't use 1.10, I only discovered Zope two months
later, with 2.0.1. And I don't remember those details that far back.
But at least in 2.4.0, this code was called when you did
user.allowed():
[...]
And hence, you can't have done this after Zope 2.4.0. So I still think
you are talking about something else.

--
Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/

Attachment: f1.zexp
Description: Binary data

_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to