-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Shulman wrote: > On 2/15/06, Chris Withers <[EMAIL PROTECTED]> wrote: > >>>But... it's still not working for my real site. I think the issue is >>>this. If script1 has proxy role Manager, and script2 has view >>>permissions set only for Manager, then script1 can call script2, no >>>problem. But if script1 instead calls script3, which then calls >>>script2, it doesn't work unless script3 *also* has proxy role Manager. >> >>Yes, this was a deliberate change made a few major releases ago. I've >>never mich liked it myself for exactly the reason you describe. I wonder >>if anyone who knows could point out why this change was made, I'm sure >>the reasons were good... > > > Even if the reasons were good, it would be nice to have an option to > turn it on or off, even if the default is off. At the very least, it > would be nice if this fact were documented. (Is it somewhere and I > just missed it?) It surprised me very much, and it would have > surprised and frustrated me even more if I'd written a site which > worked and then later on decided to split off the functionality of > some private script into a secondary one, unsuspecting that it would > break the proxy roles setup.
The prior behavior (allowing users to access protected resources "above" the domain of their user folders) was a security hole caused by a bug, and was never documented as allowable: correcting it was a matter for a rather urgent fix, as it broke the explicitly-documented model. The fact that folks wrote applications which relied on the hole is unfortunate; breaking them is better than leaving the sites built around the defined model vulnerable to abuse. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD9ARc+gerLs4ltQ4RAudoAKC8EWZfw5AibQ+s/xmwtrXo2r0hvACgsYMF N+kPUlUZdjOYd9aL4pjfIaw= =v8Ky -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )