[Zope-dev] Security Question

Andre Schubert andre.schubert@geyer.kabeljournal.de
Mon, 26 Nov 2001 08:38:09 +0100


Dieter Maurer schrieb:
> 
> Andre Schubert writes:
>  > i have a little security problem.
>  > let me explain.
>  >
>  > root/
>  >   index_html
>  >   foo/
>  >     acl_users/
>  >     bar/
>  >       Image
>  >
>  > I have a image which could only be view by users with a role named
>  > foobar, these users are in acl_users.
>  > If i access the image through the web a must authenticate myself for the
>  > first time, after that everything works well.
>  > But if i want to access the Image via <dtml-var Image> from the
>  > index_html in the root-folder a got no access.
> I expect, you get hit by a (in my view stupid) security feature:
> 
>   When you are not authorized to access an object, then you
>   should not even see that it is there.
> 
> This is achieved by turning "Unauthorized" exceptions into
> "KeyError" exceptions under some circumstances.
> 
> The effect is similar to what you describe (at least, if I
> interpret "got no access" as a "NameError" or "KeyError" for
> "Image").
> 
> If, however, you keep getting "Unauthorized" exceptions
> (i.e. login requests), then the reason may be that your
> initial request did not get authenticated by "foo/acl_users"
> but by a higher level "acl_users" that does not assign
> the correct role to the user.
> 
This is exactly what i want. I want a user wich has to login with
foo/acl_users.
And this user should be allowed to view the Image trough dtml.
Have i missunderstand restrictedTraverse, which says that a object will
be accessed by traversing
a path and checking permissions for each object.

as

> Dieter
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )