Howdy! I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? I'm (once again) in the situation where an authenticated user cannot access an object unless the "Anonymous" role is given the permission to "Access_contents_information" (the role of the authenticated user has that permission). This reminds me of the old non-root Squisdot bug, but I can't solve it by upgrading Zope this time, because I already installed 2.4.3. On the other hand I can't find out what kind of holes I'm opening by giving this permission to "Anonymous". What can I do? Ragnar
Ragnar Beer wrote:
Howdy!
I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting?
I'm (once again) in the situation where an authenticated user cannot access an object unless the "Anonymous" role is given the permission to "Access_contents_information" (the role of the authenticated user has that permission). This reminds me of the old non-root Squisdot bug, but I can't solve it by upgrading Zope this time, because I already installed 2.4.3. On the other hand I can't find out what kind of holes I'm opening by giving this permission to "Anonymous".
What can I do?
You can find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print ./AccessControl/Permissions.py ./HelpSys/HelpSys.py ./HelpSys/HelpTopic.py ./OFS/Cache.py ./OFS/ObjectManager.py ./OFS/PropertyManager.py ./OFS/PropertySheets.py ./OFS/ZDOM.py ./Products/OFSP/help/ObjectManager.py ./Products/OFSP/help/PropertyManager.py ./Products/OFSP/help/PropertySheet.py ./ZClasses/Property.py ./webdav/Resource.py (this is zope 2.3.3) The relevant files should be everything under OFS/ esp. ObjectManager.py And Property*.py and the zope help->API Documentation which contains help for the above mentioned classes (including permissions). cheers, olver
Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :( Ragnar
Ragnar Beer wrote:
Howdy! I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? I'm (once again) in the situation where an authenticated user cannot access an object unless the "Anonymous" role is given the permission to "Access_contents_information" (the role of the authenticated user has that permission). This reminds me of the old non-root Squisdot bug, but I can't solve it by upgrading Zope this time, because I already installed 2.4.3. On the other hand I can't find out what kind of holes I'm opening by giving this permission to "Anonymous". What can I do?
You can
find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print
./AccessControl/Permissions.py ./HelpSys/HelpSys.py ./HelpSys/HelpTopic.py ./OFS/Cache.py ./OFS/ObjectManager.py ./OFS/PropertyManager.py ./OFS/PropertySheets.py ./OFS/ZDOM.py ./Products/OFSP/help/ObjectManager.py ./Products/OFSP/help/PropertyManager.py ./Products/OFSP/help/PropertySheet.py ./ZClasses/Property.py ./webdav/Resource.py
(this is zope 2.3.3) The relevant files should be everything under OFS/ esp. ObjectManager.py And Property*.py and the zope help->API Documentation which contains help for the above mentioned classes (including permissions).
cheers, olver
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Ragnar Beer wrote:
Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :(
Ragnar
Yes, you're right. One thing to note is that there is another security measure. In old zopes (<= 2.1.6 IIRC) it was for instance possible to go to http://zopeserver/objectIds to get that list, which doesn't work nowadays, although anonymous has "Access contents information" rights. I wonder why propertyItems doesn't do the same. cheers, oliver
Hmm, at the time of Zope 2.1 I added a deny rule to my httpd.conf so that objectIds wasn't accessible any more. I alway kept that rule - just in case. And maybe I should also add some other deny rules... But I think you're right: accessing propertyItems and stuff should be forbidden by Zope. Cheers, Ragnar
Ragnar Beer wrote:
Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :( Ragnar
Yes, you're right. One thing to note is that there is another security measure. In old zopes (<= 2.1.6 IIRC) it was for instance possible to go to http://zopeserver/objectIds to get that list, which doesn't work nowadays, although anonymous has "Access contents information" rights. I wonder why propertyItems doesn't do the same.
cheers, oliver
Ragnar Beer writes:
I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? While I understand your wish, it probably is not that easy. I expect, that there was not a precise design behind the security declarations. Instead, there were probably an initial set of permissions, "View", "Access contents information", ... with nothing more than the informal meaning expressed by the english words describing the permission (not too bad...). For me, this informal use has been sufficient so far.
When you really want to learn about all details, then you may use a tool to find all occurrences of "Access contents information" in the Zope sources (I work under Unix and would use "find" together with "fgrep"). As you are convinced, that this information is vital for Zope users, you may collect it and donate it as an appendix to the ZDG (Zope's developper guide). When we all behave this way, the Zope communities strength will grow fast.... Dieter
I'm afraid that info is also far too dynamic to be kept up to date. I can imagine two solutions: 1. A 'deny everything that isn't explicitly allowed' policy. One could tell Apache to allow requests only for objects containing a certain string, e.g. '_html'. This way propertyItems and so on wouldn't be accessible. This method would certainly require a lot of planning beforehand. 2. I always dreamt about a tool that in a first step (accessing ZODB directly) walks down the object tree and collects whatever is potentially accessible and then in a second step tries to access the collected items via http and displays the results (i.e. the URL of the accessible stuff). This way it would be easy to find out what happens when you change permissions. Ragnar
Ragnar Beer writes:
I spent some time searching the documentation for an explanation of the "Access_contents_information" permission but didn't find anything. I think this is vital information for any Zope admin and should be easy to find. How can I set up permissions when I can't find out exactly what permissions I'm actually granting? While I understand your wish, it probably is not that easy. I expect, that there was not a precise design behind the security declarations. Instead, there were probably an initial set of permissions, "View", "Access contents information", ... with nothing more than the informal meaning expressed by the english words describing the permission (not too bad...). For me, this informal use has been sufficient so far.
When you really want to learn about all details, then you may use a tool to find all occurrences of "Access contents information" in the Zope sources (I work under Unix and would use "find" together with "fgrep"). As you are convinced, that this information is vital for Zope users, you may collect it and donate it as an appendix to the ZDG (Zope's developper guide).
When we all behave this way, the Zope communities strength will grow fast....
Dieter
participants (3)
-
Dieter Maurer -
Oliver Bleutgen -
Ragnar Beer