[Zope-dev] Security Question

Danny William Adair danny@adair.net
Thu, 29 Nov 2001 13:57:30 +1300


> This doesn't work, because the user it not known in root where the
> index_html is,
> the user is known in the folder view.


Sorry.
I think I read your first email a little too fast.

This behavior is normal, and meant to strengthen Zope security.
You are not calling the Image object, index_html is. The user folder will not 
authenticate "above". You are calling index_html which is "above". 
That's why calling the Image object directly works fine.

If the other way would be possible, you could switch the authenticating 
user_folders and thus sneak into something you weren't allowed to access:

<dtml-with folder_where_current_user_is_in_acl_users_and_has_foobar_role>
<dtml-with folder_next_to_it_where_user_can_access_contents_information>
<dtml-var some_Image_only_foobar_role_owners_can_view>
</dtml-with>
</dtml-with>

This means showing the bouncer your public library card, instead of (at 
least) your driver's license. Of course it says that you're 21...

By the way, this has nothing to do with the URL. Calling /foo/bar/index_html, 
(hoping for acquisition leaving you with the client object "bar"), will bring 
the same result. <dtml-var Image> will _find_ the Image object, but 
index_html (which is still above) will need to show proper permissions.

So you cannot do it this way. Not even unrestrictedTraverse would help you. 
Not even a proxy role, since you would have the same problem with the method 
that holds the proxy role. Where would you put it?

If I understand you right, you want the user to authenticate when trying to 
access index_html, because that's where the protected image will be shown. 
(Or was the question not of practical relevance?)

You either have to move index_html down to where acl_users lies, or the other 
way around.

If you want one universal "view image" page, which only asks for 
authentication if needed for the image it is supposed to show (and doesn't 
for public images), then call "foo/bar/Image/show" with "show" being a method 
on the same level as your current index_html. Another way would be 
redirection.

The third and by far the easiest solution is to use

<img src="/foo/bar/Image">

in index_html, because then the Image object will be requested directly and 
authenticates itself (on the right level).

I was rebuilding your sample structure, and found something quite annoying, 
that might have to go into the Collecor:

"Access contents information" looks like it is not sufficient to access image 
objects or their properties.

<dtml-var "foo.bar.Image.width"> will need the "View" permission, which is 
not how this thing works with other object types. As soon as you _access_ an 
image object Zope behaves as if you were trying to render it, but you're not 
(yet).

You might have found a Zope bug here...

Hope this helps,
Danny