[Zope-dev] Security Question

Dieter Maurer dieter@handshake.de
Fri, 23 Nov 2001 19:42:52 +0100


Andre Schubert writes:
 > i have a little security problem.
 > let me explain.
 > 
 > root/
 >   index_html
 >   foo/
 >     acl_users/
 >     bar/
 >       Image
 > 
 > I have a image which could only be view by users with a role named
 > foobar, these users are in acl_users.
 > If i access the image through the web a must authenticate myself for the
 > first time, after that everything works well.
 > But if i want to access the Image via <dtml-var Image> from the
 > index_html in the root-folder a got no access.
I expect, you get hit by a (in my view stupid) security feature:

  When you are not authorized to access an object, then you
  should not even see that it is there.

This is achieved by turning "Unauthorized" exceptions into
"KeyError" exceptions under some circumstances. 

The effect is similar to what you describe (at least, if I
interpret "got no access" as a "NameError" or "KeyError" for
"Image").


If, however, you keep getting "Unauthorized" exceptions
(i.e. login requests), then the reason may be that your
initial request did not get authenticated by "foo/acl_users"
but by a higher level "acl_users" that does not assign
the correct role to the user.


Dieter