[Zope-DB] restricted zsql permissions: there must be an easier
way!
Toni Vicens
toni_vicens at terra.es
Fri Jul 23 03:50:03 EDT 2004
I'm completely sure, because if I change the restricted folder
permissions it works.
Anyway, I'm wondering if I'm not being a little paranoid with this
security issue. Could an authenticated site member really see others
addresses if I unprotect the restricted folder?
Toni.
On Thu, 2004-07-22 at 22:24, Dieter Maurer wrote:
> > ...
> > The ZPT code which generates the error is the following:
> >
> > <div tal:define=3D"adresses python:container.sql.getAddresses()"
> > tal:repeat=3D"address addresses" tal:omit-tag=3D"">
> > <strong tal:content=3D"address/attribute1">First attribute in the
> > address</strong><br>
> > ...
> > </div>
> >
> > being getAddresses() the script with manager/owner proxy role which
> > calls the ZSQL method in the restricted folder, and attribute1 one of
> > the fields returned by the ZSQL method.
>
>
> Are you sure that "attribute1" is returned as field from your
> Z SQL Method?
>
> The returned objects (both the "Results" object
> as well as the individual "record"s objects) are
> public and can be accessed without restriction.
>
> I see only one potential explanation:
>
> The "row" does not contain an "attribute1" attribute,
> it therefore is acquired and access to this object
> is not allowed.
>
More information about the Zope-DB
mailing list