Re: [Zope] Bug in object security?
"James W. Howe" <jwh@allencreek.com> wrote:
I've encountered a strange behavior with the Zope security mechanism which strikes me as a bug. Here is what I've done:
1. Create a folder in root named 'AccessTest' 2. Create a user folder in AccessTest 3. Define a role for AccessTest called 'Publisher' 4. Create a user in the acl_users directory and grant the user 'Publisher' access 5. From the AccessTest security tab, disable 'Access contents information' for anyone except the manager. 6. From the AccessTest security tab, enable 'View management screens' for Manager and Publisher.
From a fresh browser (no previous authentication), attempt to access the management interface for AccessTest (i.e. http://foo.com:8080/AccessTest/manage). Log in as the 'Publisher' user. The screen displaying the contents of the AccessFolder will be displayed. However, this is where I think a mistake has been made.
In ObjectManager, the 'View management screens' has been associated with manage_main and manage_menu. Similarly, ObjectManager defines the 'Access contents information' for the methods objectIds, objectValues and objectItems. When I disable 'Access contents information' for my Publisher role, it would seem that users with this role should not be able to access these methods. However, the manage_main dtml code which defines the contents view of the management interface makes use of these methods. When the manage_main dtml is rendered, why doesn't Zope prompt for authentication when manage_main attempts to access objectItems, for example?
I'm sure there is a very reasonable explanation, but it strikes me as odd.
The likeliest explanation for this feature is that manage_main has a "proxy role" which permits it to have access beyond that of the user who called it. Like the setuid/setgid bits on an executable file in a Unix filesystem, proxy roles allow for controlled access to features; also like those bits, proxy roles could potentially open security holes, if an untrusted user is able to modify the text of the method which has them. Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
On Tue, 22 Feb 2000 16:36:23 -0600, Tres Seaver <tseaver@palladion.com> wrote:
"James W. Howe" <jwh@allencreek.com> wrote:
I've encountered a strange behavior with the Zope security mechanism which strikes me as a bug.
Yes, I thought this was a bug the first time I saw it too.
When the manage_main dtml is rendered, why doesn't Zope prompt for authentication when manage_main attempts to access objectItems, for example?
The security that you are expecting applies to 'DTML Method' and 'DTML Document' objects. However it does not apply to dtml files used by python products, and stored in the file system. The mechanism is often referred to as 'dtml security'. But that's a particularly poor name - it doesn't apply to _all_ dtml. Toby Dickenson tdickenson@geminidataloggers.com
participants (2)
-
Toby Dickenson -
Tres Seaver