Folder and SQL security
Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders? Any changes seem to have no effect at all. I am especially wandering about setting for anonymous user. I'd like to give them only 'viewing' privilege but that does not work. The site is not functional at all and asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. What do I have to do to allow anonymous viewers to just view the site (keep in mind that I am using a couple of zsql methods for embedding of data in my html) I also want to have one of the sub folders not accessible to any one but me. Can you help anyone? Regards, George
George wrote:
Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders?
Sure... for general security information see both http://www.zope.org/Members/michel/ZB (the Zope book security chapter, mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security chapter mostly finished).
Any changes seem to have no effect at all.
can you be more specific?
I am especially wandering about setting for anonymous user. I'd like to give them only 'viewing' privilege but that does not work.
How doesn't it work?
The site is not functional at all and asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql.
Yes, "access contents information" is equivalent to allowing the user to list the objects in an object manager. It's given to anonymous by default most of the time, and is probably required for most operations.
When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it.
This should have nothing to do with 'access contents information'. There should be permissions available to restrict the use of sql methods. Have you seen them?
What do I have to do to allow anonymous viewers to just view the site
Give them "view" and "access contents information" permissions. Depending on the products you've got installed and the operations you want the users to be able to carry out, you may need to give them other permissions.
(keep in mind that I am using a couple of zsql methods for embedding of data in my html) I also want to have one of the sub folders not accessible to any one but me. Can you help anyone?
Regards, George
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi George ! Please check what Chris wrote too but I can answer this:
Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders?
It's as simple as having a separate Acl_users in those folders that you need to have different security for. Say your site is: / (root) /department1 /department2 /subdept1 /subdept2 /department3 ...and you want a common security model except for subdept2. So you tweak the acl_users in the / (root) as you want and *only in subdept2* you create another acl_users and tweak that as well. Hope this helps, Dimitris http://www.zope.org/Members/dandraka
On Mon, 4 Sep 2000, George wrote:
asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. What do I have to do to allow
Chris may have pointed you in the right direction, but depending on the complexity of what you are doing you may also need to learn about using proxy roles. This allows you to write a dtml-method that an anonymous user can call, where the dtml-method can accessed privileged functions. Since you control the method code, you thereby control the security of that access and can limit it to just what you need to make the site functional. --RDM
participants (4)
-
Chris McDonough -
Dimitris Andrakakis -
George -
R. David Murray