[Zope-CMF] Security problem in CMF

Chris Withers chrisw@nipltd.com
Wed, 04 Jun 2003 08:29:44 +0100


Shane Hathaway wrote:
> Jeff Coleman wrote:
> 
>> Should objects in a skin folder IGNORE the security setting of the skin
>> folder they are in?
>> Considering how Zope security works with acquisition I think this is a
>> BIG security problem.
> 
> We recognized this weakness when designing the skin machinery.  So we 
> set a policy that everything in the skins tool is public, regardless of 
> security settings.  Do not put anything that should be restricted in the 
> skins tool!  

Hmmm, is this still true?

With the .security stuff for FSDV skins, you can now set security properties on 
individual skin methods.

This worked pretty well for me on a couple of projects and no-one complained 
when the code got merged into the core...

 > Put your effort into protecting the objects being accessed,
> not the skins.

Well, that's not always possible. Sometimes you want one view of an object to be 
anonymously accessible while another isn't...

cheers,

Chris