[Zope-CMF] Security behavior question
Doyon, Jean-Francois
Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Fri, 14 Dec 2001 13:58:29 -0500
Hello,
I just noticed a security behavior that surprised me.
Let's say I have an object I access by the URL:
http://localhost/path/to/my/object
Now let's say that object is marked "private" ...
If I try to access the URL above, I'll get redirected to the Log In =
page ...
which is fine ...
If I try to access it with a /view , same thing happens, also fine ...
If howvever I try to access it using the component used to view (i.e. =
the
"action" item of the "view" action) it WORKS! An anonymous user just =
managed
to view a private item!
This is the default behavior, I haven't touched anything.
Is this right? How do I get around it? Do I have to build the security =
check
into the DTML used to view the object? That seems starnge, shouldn't =
the
security model "climb up the tree" and make sure the user (in this case
anonymous) has the rights not onlt to the DTML template used to view =
the
object, but the object itself?
Any help would be most appreciated,
Thanks,
Jean-Fran=E7ois Doyon
Internet Service Development and Systems Support
GeoAccess Division
Canadian Center for Remote Sensing
Natural Resources Canada
http://atlas.gc.ca
Phone: (613) 992-4902
Fax: (613) 947-2410