[Zope] security model with regards to aquisition

Jim Fulton jim@digicool.com
Wed, 28 Apr 1999 10:10:38 -0400 

"Jay, Dylan" wrote:
> 
> I have a folder that has restricted access. In a parent folder I have a DTML
> method that accesses a property of the folder. A browser that has not been
> autheticated for viewing the folder can still view use the aquired method in
> the folder, ie they type
> 
> http://server.com/RestrictedFolder/parentMethod and it works!!!
> 
> This seems counter intuitive to me.

Me too.  Note that this has nothing to do with acquisition.
A Public method of the folder could also access a property 
of the folder.

> Either you have access to a folder or
> you do not.

Well, there are many types of access.  But I think it should be possible
to disacble access to a folder's properties through the 
"Access contents information" permission.

> Why is this the case and should it be? In any case how do I make
> sure users can not do the above unless authenticated?

This is a bug in the validation logic.  The current rules
allow access to objects that don't have __roles__ attributes 
and that are not acquired.  The reason is that it is assumed that
you have to have access to the container to get the object, but this
is not always true.  

I will fix this today and check the fix in, so it will be available 
via the public CVS.  The fix will also be in the next release.
The fix will add a check for parent roles even if an object is
not acquired.

A possible work around is to use an expression and name the folder 
when you access properties to force access to the folder to be checked:

  <!--#var "theSecretFolder.aProperty"-->

Jim

--
Jim Fulton           mailto:jim@digicool.com   Python Powered!        
Technical Director   (888) 344-4332            http://www.python.org  
Digital Creations    http://www.digicool.com   http://www.zope.org    

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.