I forget if I submitted a collector issue about this before, but I didn't see it. I just posted one at <http://www.zope.org/Collectors/CMF/396>:
Title: PortalFolder.py _verifyObjectPaste ignores executable security Version info: CMF 1.5.4 but also in trunk _verifyObjectPaste calls "sm.checkPermission(permission_name,self)" rather than "_checkPermission(permission_name,self)" This makes it ignore executable security. So, if _verifyObjectPaste is in an external method or in a script with sufficient proxy roles, it raises an Unauthorized error for users when the external method / proxy role security should suffice. Peace, George [originally posted this on the zope list yesterday but then discovered this list also] On 9/9/05, Dieter Maurer <[EMAIL PROTECTED]> wrote: > George Lee wrote at 2005-9-8 23:57 -0400: > > ... > >Is it okay to just replace sm.checkPermission with _checkPermission > >from CMFCore.utils or is that not okay? > > Yes. But, please file a bug report as well. > > >Also Dieter I noticed that Alan Runyan and you briefly discussed this > >issue back in 2002: > >http://mail.zope.org/pipermail/zope-cmf/2002-September/015350.html > > Any internal use should always take executable security (i.e. > executable ownership and proxy roles) into account. > Not doing so is a but, as things expected to be possible are not > and (maybe even worse) things expected to be impossible may > be possible. > > There may be a need for application code to check the permissions > of the user with proxy roles not taken into account. > > E.g. a script that must use a "Manager" roles to do one > thing but does not want to do another unless the current > user has specific permissions. > > For this case, there also should be a method checking > permissions with proxy roles not taken into account. > > -- > Dieter > _______________________________________________ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests