-----Original Message----- From: Jim Fulton [mailto:jim@digicool.com] Sent: Thursday, 29 April 1999 00:11 To: Jay, Dylan Cc: 'zope@zope.org' Subject: Re: [Zope] security model with regards to aquisition
"Jay, Dylan" wrote:
I have a folder that has restricted access. In a parent
folder I have a DTML
method that accesses a property of the folder. A browser that has not been autheticated for viewing the folder can still view use the aquired method in the folder, ie they type
http://server.com/RestrictedFolder/parentMethod and it works!!!
This seems counter intuitive to me.
Me too. Note that this has nothing to do with acquisition. A Public method of the folder could also access a property of the folder.
Either you have access to a folder or you do not.
Well, there are many types of access. But I think it should be possible to disacble access to a folder's properties through the "Access contents information" permission.
Why is this the case and should it be? In any case how do I make sure users can not do the above unless authenticated?
This is a bug in the validation logic. The current rules allow access to objects that don't have __roles__ attributes and that are not acquired. The reason is that it is assumed that you have to have access to the container to get the object, but this is not always true.
I will fix this today and check the fix in, so it will be available via the public CVS. The fix will also be in the next release. The fix will add a check for parent roles even if an object is not acquired.
A possible work around is to use an expression and name the folder when you access properties to force access to the folder to be checked:
<!--#var "theSecretFolder.aProperty"-->
This work around doesn't seem to work in my case. I want to actually redirect to another address which seems to always work no matter whether the the folder is allowed to be accessed or not. Here is the method I'm using <!--#if "_.getitem(id).title"--> <!--#call "REQUEST.set('blah',_.string.split(DownloadItems[_.int(file)],'|'))"--> <!--#call "REQUEST.set('loc',_.string.split(Locations[_.int(loc)],'|'))"--> <!--#with "_.namespace(file=aq_parent.id + '/' + id + '/' + blah[1])"--> <!--#call "RESPONSE.redirect(loc[1]+'/'+file+'?'+getArgs(_,file, 10)+'&f='+file)"--> <!--#/with--> <!--#else--> <!--#call "RESPONSE.setStatus(404)"--> <!--#/if-->
Jay, Dylan wrote: (snip)
I wrote:
A possible work around is to use an expression and name the folder when you access properties to force access to the folder to be checked:
<!--#var "theSecretFolder.aProperty"-->
This work around doesn't seem to work in my case. I want to actually redirect to another address which seems to always work no matter whether the the folder is allowed to be accessed or not. Here is the method I'm using
<!--#if "_.getitem(id).title"--> <!--#call "REQUEST.set('blah',_.string.split(DownloadItems[_.int(file)],'|'))"--> <!--#call "REQUEST.set('loc',_.string.split(Locations[_.int(loc)],'|'))"--> <!--#with "_.namespace(file=aq_parent.id + '/' + id + '/' + blah[1])"--> <!--#call "RESPONSE.redirect(loc[1]+'/'+file+'?'+getArgs(_,file, 10)+'&f='+file)"--> <!--#/with--> <!--#else--> <!--#call "RESPONSE.setStatus(404)"--> <!--#/if-->
Are you saying that this code should work differently? Or that the file you redirect to should fail? If the former, please help me out and point me to the specific test that you want to work differently. If the latter, then you need to change the property references in the file you redirected too. Alternatively, you can apply the change (to lib/python/DocumentTemplate/cDocumentTemplate) that I checked in yesterday. :) Jim -- Jim Fulton mailto:jim@digicool.com Technical Director (540) 371-6909 Python Powered! Digital Creations http://www.digicool.com http://www.python.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
participants (2)
-
Jay, Dylan -
Jim Fulton