Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :( Ragnar
Ragnar Beer wrote:
Howdy! I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? I'm (once again) in the situation where an authenticated user cannot access an object unless the "Anonymous" role is given the permission to "Access_contents_information" (the role of the authenticated user has that permission). This reminds me of the old non-root Squisdot bug, but I can't solve it by upgrading Zope this time, because I already installed 2.4.3. On the other hand I can't find out what kind of holes I'm opening by giving this permission to "Anonymous". What can I do?
You can
find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print
./AccessControl/Permissions.py ./HelpSys/HelpSys.py ./HelpSys/HelpTopic.py ./OFS/Cache.py ./OFS/ObjectManager.py ./OFS/PropertyManager.py ./OFS/PropertySheets.py ./OFS/ZDOM.py ./Products/OFSP/help/ObjectManager.py ./Products/OFSP/help/PropertyManager.py ./Products/OFSP/help/PropertySheet.py ./ZClasses/Property.py ./webdav/Resource.py
(this is zope 2.3.3) The relevant files should be everything under OFS/ esp. ObjectManager.py And Property*.py and the zope help->API Documentation which contains help for the above mentioned classes (including permissions).
cheers, olver
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )