Hmm, at the time of Zope 2.1 I added a deny rule to my httpd.conf so that objectIds wasn't accessible any more. I alway kept that rule - just in case. And maybe I should also add some other deny rules... But I think you're right: accessing propertyItems and stuff should be forbidden by Zope. Cheers, Ragnar
Ragnar Beer wrote:
Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :( Ragnar
Yes, you're right. One thing to note is that there is another security measure. In old zopes (<= 2.1.6 IIRC) it was for instance possible to go to http://zopeserver/objectIds to get that list, which doesn't work nowadays, although anonymous has "Access contents information" rights. I wonder why propertyItems doesn't do the same.
cheers, oliver