[Zope] security model with regards to aquisition
Jay, Dylan
djay@lucent.com
Thu, 29 Apr 1999 10:35:46 +1000
> -----Original Message-----
> From: Jim Fulton [mailto:jim@digicool.com]
> Sent: Thursday, 29 April 1999 00:11
> To: Jay, Dylan
> Cc: 'zope@zope.org'
> Subject: Re: [Zope] security model with regards to aquisition
>
>
>
>
> "Jay, Dylan" wrote:
> >
> > I have a folder that has restricted access. In a parent
> folder I have a DTML
> > method that accesses a property of the folder. A browser
> that has not been
> > autheticated for viewing the folder can still view use the
> aquired method in
> > the folder, ie they type
> >
> > http://server.com/RestrictedFolder/parentMethod and it works!!!
> >
> > This seems counter intuitive to me.
>
> Me too. Note that this has nothing to do with acquisition.
> A Public method of the folder could also access a property
> of the folder.
>
> > Either you have access to a folder or
> > you do not.
>
> Well, there are many types of access. But I think it should
> be possible
> to disacble access to a folder's properties through the
> "Access contents information" permission.
>
> > Why is this the case and should it be? In any case how do I make
> > sure users can not do the above unless authenticated?
>
> This is a bug in the validation logic. The current rules
> allow access to objects that don't have __roles__ attributes
> and that are not acquired. The reason is that it is assumed that
> you have to have access to the container to get the object, but this
> is not always true.
>
> I will fix this today and check the fix in, so it will be available
> via the public CVS. The fix will also be in the next release.
> The fix will add a check for parent roles even if an object is
> not acquired.
>
> A possible work around is to use an expression and name the folder
> when you access properties to force access to the folder to
> be checked:
>
> <!--#var "theSecretFolder.aProperty"-->
This work around doesn't seem to work in my case. I want to actually
redirect to another address which seems to always work no matter whether the
the folder is allowed to be accessed or not. Here is the method I'm using
<!--#if "_.getitem(id).title"-->
<!--#call
"REQUEST.set('blah',_.string.split(DownloadItems[_.int(file)],'|'))"-->
<!--#call "REQUEST.set('loc',_.string.split(Locations[_.int(loc)],'|'))"-->
<!--#with "_.namespace(file=aq_parent.id + '/' + id + '/' + blah[1])"-->
<!--#call "RESPONSE.redirect(loc[1]+'/'+file+'?'+getArgs(_,file,
10)+'&f='+file)"-->
<!--#/with-->
<!--#else-->
<!--#call "RESPONSE.setStatus(404)"-->
<!--#/if-->