Determining permissions in a Product
Hi, Is there a clever way of determining/debugging the required permissions and/or roles for a given Product? I know that it's pretty straightforward if the product is released as a capital-P Product, but I am less sure about looking through a .exp file. I am trying to get FlexFAQ2 set up with the minimum set of permissions. If I understand the docs correctly, I have enabled the right flags but still I get prompted for a username/password when I try to add an item. Obviously, I would like to solve this problem I would be very interested to hear about more general approaches to problem solving products. Thanks,
Aaron Straup Cope wrote:
Obviously, I would like to solve this problem I would be very interested to hear about more general approaches to problem solving products.
When the dialog box pops up, hit cancel and see what authorization failed on. That should give you some clues as to what needs fixing. Incidnetally, I think this is a bit of a security hole. You shouldn't get told what you're not allowed to see, especially if it's 'cos you got your password wrong. If you see what I mean ;-) cheers, Chris
Chris Withers wrote:
When the dialog box pops up, hit cancel and see what authorization failed on. That should give you some clues as to what needs fixing.
Incidnetally, I think this is a bit of a security hole. You shouldn't get told what you're not allowed to see, especially if it's 'cos you got your password wrong. If you see what I mean ;-)
I see what you mean here, Chris, but wouldn't this come under the heading of a 'security through obscurity' hole? ie. you're saying that the system isn't obscure enough? Michael.
Michael Bernstein wrote:
Chris Withers wrote:
Incidnetally, I think this is a bit of a security hole. You shouldn't get told what you're not allowed to see, especially if it's 'cos you got your password wrong. If you see what I mean ;-)
I see what you mean here, Chris, but wouldn't this come under the heading of a 'security through obscurity' hole? ie. you're saying that the system isn't obscure enough?
Not really... I'm saying it shouldn't tell you stuff you _never_ need to know, like where on your file system the Zope files live. A lot of this comes from standard_error_message not being used for authorizaion errors, and Zope's insistence of tacking the traceback onto error pages it returns, even in production mode :-S Might have to have a look at this some time ;-) cheers, Chris
participants (3)
-
Aaron Straup Cope -
Chris Withers -
Michael Bernstein