[Zope-CMF] Security behavior question

Doyon, Jean-Francois Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Mon, 17 Dec 2001 12:56:41 -0500 

Tres,

Thanks for the quick reply!

The behavior you describe is what I was expecting.

Actually I have a customized "document_view" that behaves normally.  It
seems the problem occurs only with my DTML method (Part of a skin) that I
created from scratch (instead of using a default one and clicking
"customize") ...

It should be noted that the object I'm "viewing" is actually a custom one I
created and added to the list of CMFDefault object types.  Could the problem
come from that? I'm pretty sure all my security declarations are correct,
I'll revisit them, but it's a real basic object with only one property.

As for your questions, nope I didn't change anything as far as security
settings, at least not for the "anonymous" role ... (Well I removed the
ability to join the portal, but that's it).  My method has the exact same
security properties set on it than the customized document_view , and
neither have any Proxy roles defined.

As for the caching, I just tested that and nope ... the third way of doing
it still gets me in ...

Hmmm ... And "document_view" and "map_interactive" (My DTML Method) both
live in the "custom" skin folder, which means that permission inheritance is
also the same ...

Ha ha ... I like to work from examples, and I'm noticing the the Document's
CookedBody has a delcareProtected set on it ... Which makes sense, but I
don't have that kind of declaration on my object, since there's no method in
my class ... My object simply sets a property use by the skin. How would I
go about declaring a security conditionon accessing a proerty instead of a
method (or function, whatever the python parlance is :)?

I guess I would have to add a new permission setting and instead of doing a
declareObjectPublic I would use a declareObjectProtected(<permission name>)
?

Thanks,
J.F.

-----Original Message-----
From: Tres Seaver [mailto:tseaver@zope.com]
Sent: Friday, December 14, 2001 7:08 PM
To: Doyon, Jean-Francois
Cc: Zope-Cmf
Subject: Re: [Zope-CMF] Security behavior question


Doyon, Jean-Francois wrote:

> Hello,
> 
> I just noticed a security behavior that surprised me.
> 
> Let's say I have an object I access by the URL:
> 
> http://localhost/path/to/my/object
> 
> Now let's say that object is marked "private" ...
> 
> If I try to access the URL above, I'll get redirected to the Log In page
...
> which is fine ...
> 
> If I try to access it with a /view , same thing happens, also fine ...
> 
> If howvever I try to access it using the component used to view (i.e. the
> "action" item of the "view" action) it WORKS! An anonymous user just
managed
> to view a private item!
> 
> This is the default behavior, I haven't touched anything.
> 
> Is this right? How do I get around it? Do I have to build the security
check
> into the DTML used to view the object? That seems starnge, shouldn't the
> security model "climb up the tree" and make sure the user (in this case
> anonymous) has the rights not onlt to the DTML template used to view the
> object, but the object itself?
> 
> Any help would be most appreciated,


I can't reproduce this behavior on any CMF sandbox (CVS head,
1.2, and older version from October, etc.)  Here is what I did:

   1. Created a new CMFSite, 'foobar'.

   2. As manager, created a Document, 'Baz', and edited it,
      leaving it in "Private" state.

   3. In a different browser, I navigated to each of these URLs:

      - http://localhost:9080/foobar/Baz

      - http://localhost:9080/foobar/Baz/view

      - http://localhost:9080/foobar/Baz/document_view

      All three redirected me to the login form.

Can you supply more details?  For instance, have you tweaked
any permissions on the CMFSite, or on any of its parent folders?
Have you customized the 'document_view' method, and could it have
proxy roles if so?  What versions of Zope and the CMF?  Could the
version you saw in the browser have been cached?

 
Tres.

-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com