[Zope] Zope and security.

[Jeff Rush]

On Wed, 10 Nov 1999 01:46:13 -0500, Otto Hammersmith wrote:

>So, my question is, does there exist a laundry list of common Zope
>misconfigurations?  Does there need to be one (Zope.org tips)? The
>solution is rather obvious (settings on the security tab for the folder)
>but how do new users know to catch that kind of thing?

Yes, there badly needs to be one.  I've run across a few slip-ups
and I'm sure we all here know of many more.  As far as I know,
there isn't even a precise description of each of the permissions
that an administrator can review to decide which he wants to
grant (ZQR?).

I'd break it into two parts -- one for sites w/o members who
can write DTML and one for those with -- similar to Unix boxes
that do or do not give out shell accounts.  Insider attacks
versus outsider attacks.

-Jeff Rush