[Zope-DB] cannot secure DCOracle2 connection string?
Matthew T. Kromer
matt at zope.com
Fri Sep 12 12:35:07 EDT 2003
Jim Abramson wrote:
>Hello, I am perplexed by a security issue with DCO2 connections:
>
>I'm trying to restrict access to the connection strings of certain database connections to all but a few of the developers with "manage" access to our Zope installations (using a locally-defined role). But it does not seem to be possible!
>
>If I restrict "View" and/or "Access Contents Information" on the containing folder...the connection_string of the dco2 connection can't be accessed - but of course, because the connection cannot be used either (nor anything else in the Folder).
>
>Meanwhile, restricting either "View" or "Access Contents Information" on the connection object itself seems to have no effect - that is, anyone with Manager can put a python script anywhere, find the dco2 connection object, read and print its connection_string.
>
>Is this catch-22, or am I missing something? Is it impossible to have a DCOracle2 connection that can be used by Zope pages, without exposing the connection_string to anyone with ZMI access?
>
>Thanks for any advice,
>JSA
>
>_______________________________________________
>Zope-DB mailing list
>Zope-DB at zope.org
>http://mail.zope.org/mailman/listinfo/zope-db
>
>
Hmm... it's probably always been that way. One way you could change
that, I think is to do a global replace on "connection_string" with
"_connection_string". You might also be able to modify the DA.py file's
Connection object to set something like connection_string__roles =
('Manager,') to only allow managers to see the connection string. I'm
actually very rusty on that section of the code, I'm afraid.
--
Matt Kromer
Zope Corporation http://www.zope.com/
More information about the Zope-DB
mailing list