----- Original Message ----- From: Jeff Rush <jrush@timecastle.net> To: <zope@zope.org> Sent: Friday, November 12, 1999 2:21 PM Subject: [Zope] Risky Giving Anon User Permission to View Management Panel
Are there any security risks associated with giving the anonymous user under Zope the 'view management panel' permission? He doesn't seem to be able to delete/modify/add things, and I thought it might be good on some sites intended for demo to allow people to peek under the covers and see how it was all done.
Zope.org seems to give you this permission to some degree, since you need it to be allowed to click on the "view DTML source", but they (somehow) prevent you from getting to the actual '/manage' interface (I'd love to know how).
I don't know if there are any other risks in the view management screens permission. The "DTML source" link could have been implemented a couple ways... They could have put "Access Contents Information" on for anonymous (I think that's the permission used for getting the document src of DTML). Or, the view_source method could use a Proxy Role to get the permission necessary to access the source. This second method would allow them to easily make it so that it only works on DTML Methods and DTML Documents (if they wanted to). They could do this by checking the meta_type... Kevin