[ZCM] [ZC] 743/ 5 Resolve "Proxy rights work through Acquisition"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Tue Jan 20 09:18:59 EST 2004
Issue #743 Update (Resolve) "Proxy rights work through Acquisition"
** Security Related ** (Public)
Status Resolved, Zope/bug critical
To followup, visit:
http://zope.org/Collectors/Zope/743
==============================================================
= Resolve - Entry #5 by Brian on Jan 20, 2004 9:18 am
Status: Pending => Resolved
resolved for 2.6.4 / 2.7.0 rc 1
-BL
________________________________________
= Comment - Entry #4 by mj on Dec 3, 2003 4:27 pm
Bug 977 was a dupe of this one, but reported against 2.6.1, showing how one could give oneself a Manager account higher up in the tree using this problem.
________________________________________
= Comment - Entry #3 by ShaneH on May 2, 2003 10:07 am
Does this still happen with Zope 2.6.1?
________________________________________
= Comment - Entry #2 by Jace on Jan 12, 2003 5:00 pm
Hi, has any progress been made with this? The status is still showing "(Pending)".
________________________________________
= Request - Entry #1 by Jace on Dec 23, 2002 4:16 pm
A user's permissions normally do not work through acquisition, so a user cannot use acquisition to access items in a parent folder that he/she normally would not have access to.
This restriction however does not apply to Proxy rights assigned to DTML methods. A method with proxy manager rights can access anything via acquisition.
This is a serious issue in a virtual hosting environment because a manager in one host can assign proxy rights to a DTML method and use that method to explore other virtual hosts with unrestricted access to everything (unless the Manager role has been specifically barred there).
==============================================================
More information about the Zope-Collector-Monitor
mailing list