[Zope-dev] Re: [Zope] Re: Anonymous after logging in?
John Eikenberry
jae@kavi.com
Sun, 28 Mar 1999 19:45:08 -0800 (PST)
On Fri, 26 Mar 1999, John Eikenberry wrote:
> Ack... I spoke to soon... but I've figured out a fix and I'd like to
> bounce it off the group to see if you'd think it'd break anything.
>
> The fix was to modify AccessControl.User.validate()... here's a unified
> diff showing what I changed...
>
> @@ +390,10 -388,7 @@
> # Try to get user
> user=self.getUser(name)
> if user is None:
> + if self._isTop():
> + return self._nobody
> + else:
> + return None
> - return None
>
> Key:
> self._nobody returns the Anonymous User object
> self.getUser tries to get the user object from an acl_users folder
>
> The problem I was having, was that validate() was getting passed the
> authentication information for the person who was defined in a subfolder
> which it didn't have access to... so... the validate would return none,
> which would raise the Unauthorized error. By having it return the
> Anonymous User object (only at the top level), it allows access to public
> areas without sacrificing security.
>
> Does this make sense... does anyone see any potential problems?
Found a big one myself. Turned out 'Anonymous User' could get access to
almost any part of the site with this... opps. ;)
Here's a new version, I'll just enclose the source as the diff above
points to the place in Zope.
# Try to get user
user=self.getUser(name)
if user is None:
nobody=self._nobody
if self._isTop() and nobody.allowed(parent, roles):
ob=nobody.__of__(self)
return ob
else:
return None
---
John Eikenberry
[jae@kavi.com - http://taos.kavi.com/~jae/]
______________________________________________________________
"A society that will trade a little liberty for a little order
will deserve neither and lose both."
--B. Franklin