[Erp5-dev] access to get_local_roles in Base_getOwnerId
Jérome Perrin
jerome at nexedi.com
Fri Nov 23 19:07:43 CET 2007
bartek a écrit :
> Mikolaj Antoszkiewicz wrote:
>> Jérome Perrin wrote:
>>> Mikolaj Antoszkiewicz a écrit :
>>>> Hello,
>>>>
>>>> Since access to get_local_roles by non-Manager user is unauthorised,
>>>> could the script Base_getOwnerId have proxy Manager role by default.
>>>> That way normal user can verify the ownership of the object, eg. in script.
>>>> I think that would come in handy in many circumstances.
>>> Hello,
>>>
>>> You can use getViewPermissionOwner, which is very similar
>>>
>> What if I want to know who is the Owner even if I don't have View
>> Permission to the object?
>
> ...and, what if the guy who is the Owner doesn't have View for one
> reason or another? I may still want to know about him, while
> getViewPermissionOwner would return None...
I completly agree that it's conveniant, but from strict security point
of view, it's not really good, because it makes it possible to guess
existing usernames. Both Base_getOwnerId and getViewPermissionOwner have
this problem, this information was originaly protected in zope.
I suggest that we add something to prevent those methods to be called
direclty in the URL (by removing the docstring or checking the presence
of a REQUEST argument).
For the problem you mentionned, it's probably better to do this in a
zope product, an external method, or an ERP5 local document.
>> BTW. Is there a way to get the real 'owner' of the object in ZMI?
There are multiple ways, whether you want the user object or the user
id, etc. Refer to AccessControl/Owned.py in your zope software home.
Jérome
More information about the Erp5-dev
mailing list