Hello, summary of set access rule with zope 2.5.0 1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB to limit access 2.) as Chris McDonough has shown (thanks !) accessHB is working like:
From chrism@zope.com Thu Mar 21 19:21 MET 2002 Subject: Re: [Zope] set accessrule Date: Thu, 21 Mar 2002 13:26:28 -0500
Hi,
I wouldn't bother to try to pass in REQUEST (the caller for access rules does not pass any arguments in to the script). Instead, get the REQUEST from context ala context.REQUEST. I think the test tab populates REQUEST for you via magic that doesn't happen when an access rule is called.
Your script becomes:
----------------------------------------- ## Script (Python) "accessruleHB" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters= ##title=
if context.REQUEST.SESSION.get('MySessionId') == None: context.REQUEST.RESPONSE.redirect('/rootfolder') -----------------------------------------
But there is a security problem with "Set Access Rule": Any user even the unauthorized can get access to the folder (which is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url: http: ... testfolder/_SUPPRESS_ACCESSRULE gives access to restricted folder testfolder. This may be a bug or has been done to get access in case of emergency, but it makes set accessrule (more or less) useless. What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ? Do I have to modify the programmes which implement set access rule ? I even don't know where these programmes are located. With kind regards, Juergen Berger