[Zope] Risky Giving Anon User Permission to View Management Panel

Kevin Dangoor kid@kendermedia.com
Fri, 12 Nov 1999 16:47:58 -0500


----- Original Message -----
From: Jeff Rush <jrush@timecastle.net>
To: <zope@zope.org>
Sent: Friday, November 12, 1999 2:21 PM
Subject: [Zope] Risky Giving Anon User Permission to View Management Panel


> Are there any security risks associated with giving the anonymous
> user under Zope the 'view management panel' permission?  He
> doesn't seem to be able to delete/modify/add things, and I thought
> it might be good on some sites intended for demo to allow people
> to peek under the covers and see how it was all done.
>
> Zope.org seems to give you this permission to some degree, since
> you need it to be allowed to click on the "view DTML source",
> but they (somehow) prevent you from getting to the actual '/manage'
> interface (I'd love to know how).

I don't know if there are any other risks in the view management screens
permission. The "DTML source" link could have been implemented a couple
ways... They could have put "Access Contents Information" on for anonymous
(I think that's the permission used for getting the document src of DTML).
Or, the view_source method could use a Proxy Role to get the permission
necessary to access the source. This second method would allow them to
easily make it so that it only works on DTML Methods and DTML Documents (if
they wanted to). They could do this by checking the meta_type...

Kevin