Andre Schubert schrieb:
Non-authoritative answer:Hi all,i have a little Security-Problem which results in the following Error reported by Shane Hathaway's nice VerboseSecurity: Error Type: Unauthorized Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner']. I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (<dtml-call foobar>). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I hope somebody has another hint for me. :)
As far as I know the problem is ownership. If you want to access objects whose owner is gone you get into trouble.
So there are probably two solutions:
a) DO NOT delete the owner
b) Let somebody else take over the ownership
--
iuveno AG
Joachim Werner
_________________
Wittelsbacherstr. 23b
90475 Nürnberg
[EMAIL PROTECTED]
www.iuveno.de
Tel.: +49 (0) 911/ 9 88 39 84
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )