Re: [Zope-dev] Zope security alert and 2.2 information
Some notes - On the server side, with all the new stuff about 'Owners', I'd like to suggest that the 'Find' tab better be able to find by owner :) On the changing of ownership - could a container object get a 'recursively take ownership' tab? If you've got a bunch of people working on a site, and one leaves, it would be nice to fix that easily. Particularly since having an owner deleted is bad bad. What happens if an object is cut'n'pasted? Does the ownership change? What about if a folder is cut'n'pasted - does the ownership of everything in the folder change? It looks like trying to move or rename a user database will essentially become impossible (if any users from that user database are owners)... I'm assuming that when you talk about something being accessible to the owner of the resource, this is at run-time, not creation time? So if I change a manager's roles, this will affect their objects? hm, more thoughts to come, no doubt. Anthony
Brian Lloyd wrote Hello all -
We have recently become aware of two important security issues that managers of Zope sites need to be aware of. Please see the overview at:
http://www.zope.org/Members/jim/ZopeSecurity/TrojanIssueOverview
for further details.
Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
Come to think of if; this adds to my argument that not having a logout option is lame; and with lame users and/or on slow pc's, restarting the browser is often not the option. -Morten
The Tracker product has a re-login link so this is possible. I don't think it can achieve a 'logout' but you can at least log in as a user with much lower privileges... Chris "Morten W. Petersen" wrote:
Come to think of if; this adds to my argument that not having a logout option is lame; and with lame users and/or on slow pc's, restarting the browser is often not the option.
-Morten
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
The Tracker product has a re-login link so this is possible. I don't think it can achieve a 'logout' but you can at least log in as a user with much lower privileges...
Mm, yes. But that isn't an "easy" option,is it? I'd like to see something similar to the help button (Zope 2.2). -Morten
"Morten W. Petersen" wrote:
The Tracker product has a re-login link so this is possible. I don't think it can achieve a 'logout' but you can at least log in as a user with much lower privileges...
Mm, yes. But that isn't an "easy" option,is it? I'd like to see something similar to the help button (Zope 2.2).
Could you have a button that re-logs you in as the new "nobody" user? So, the procedure would be 1: Log in as Manager user 2: Do privilaged task 3: Press "finished! log me out" button to return to "nobody". -- Steve Alexander Software Engineer Cat-Box limited
Could you have a button that re-logs you in as the new "nobody" user?
So, the procedure would be
1: Log in as Manager user 2: Do privilaged task 3: Press "finished! log me out" button to return to "nobody".
Probably. But I think the easiest way to do it would be to just expire the authentication cookie. -Morten
"Morten W. Petersen" wrote:
Could you have a button that re-logs you in as the new "nobody" user?
So, the procedure would be
1: Log in as Manager user 2: Do privilaged task 3: Press "finished! log me out" button to return to "nobody".
Hmm, how do this 'nobody' user and the Anonymous user interact? Are they the same? Should they be? what are the differences?
Probably. But I think the easiest way to do it would be to just expire the authentication cookie.
If, of course, you're using Cookie authentication... which isn't really the problem. The problem is HTTP Basic Authentication caching the user's details until it gets told they've failed authentication for that realm... Chris
Hmm, how do this 'nobody' user and the Anonymous user interact? Are they the same? Should they be? what are the differences?
I think he means Anonymous..
If, of course, you're using Cookie authentication... which isn't really the problem. The problem is HTTP Basic Authentication caching the user's details until it gets told they've failed authentication for that realm...
My bad, mixed up two different publishers. -Morten
"Morten W. Petersen" wrote:
Hmm, how do this 'nobody' user and the Anonymous user interact? Are they the same? Should they be? what are the differences?
I think he means Anonymous..
Nope. See http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan about one quarter the way down. "What is the relationship between the owner and owner roles? They are mostly independent. Whenever an owner is changed, the new owner will get the owner role on the object. The exception is the unlikely case in which the new owner is the special user nobody. The nobody user never gets the owner role." -- Steve Alexander Software Engineer Cat-Box limited
Nope. See http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan about one quarter the way down.
Which does bring be back to the question of what is the relationship between the 'nobody' user and the 'Anonymous' user. Currently, if you could re-authenticate as the Annonymous user, all would be good with the world ;-) Unfortunately, I don't think you can... Chris
Chris Withers wrote:
"Morten W. Petersen" wrote:
Could you have a button that re-logs you in as the new "nobody" user?
So, the procedure would be
1: Log in as Manager user 2: Do privilaged task 3: Press "finished! log me out" button to return to "nobody".
Hmm, how do this 'nobody' user and the Anonymous user interact? Are they the same?
No.
Should they be?
No.
what are the differences?
'nobody' is a special user and can own objects. 'Anonymous User' is a 'placeholder' user object for a request that is not authenticated. -- -Michel Pelletier http://www.zope.org/Members/michel/MyWiki Visit WikiCentral for the latest Zen: http://www.zope.org/Members/WikiCentral
Anthony Baxter wrote:
Some notes -
On the server side, with all the new stuff about 'Owners', I'd
Make sure you add your comments to the SecurityWiki, or they may not be remembered. -- -Michel Pelletier http://www.zope.org/Members/michel/MyWiki Visit WikiCentral for the latest Zen: http://www.zope.org/Members/WikiCentral
participants (5)
-
Anthony Baxter -
Chris Withers -
Michel Pelletier -
Morten W. Petersen -
Steve Alexander