[Zope] Bug in object security?
James W. Howe
jwh@allencreek.com
Tue, 22 Feb 2000 14:56:18 -0500
I've encountered a strange behavior with the Zope security mechanism which
strikes me as a bug. Here is what I've done:
1. Create a folder in root named 'AccessTest'
2. Create a user folder in AccessTest
3. Define a role for AccessTest called 'Publisher'
4. Create a user in the acl_users directory and grant the user 'Publisher'
access
5. From the AccessTest security tab, disable 'Access contents information'
for anyone except the manager.
6. From the AccessTest security tab, enable 'View management screens' for
Manager and Publisher.
From a fresh browser (no previous authentication), attempt to access the
management interface for AccessTest (i.e.
http://foo.com:8080/AccessTest/manage). Log in as the 'Publisher'
user. The screen displaying the contents of the AccessFolder will be
displayed. However, this is where I think a mistake has been made.
In ObjectManager, the 'View management screens' has been associated with
manage_main and manage_menu. Similarly, ObjectManager defines the 'Access
contents information' for the methods objectIds, objectValues and
objectItems. When I disable 'Access contents information' for my Publisher
role, it would seem that users with this role should not be able to access
these methods. However, the manage_main dtml code which defines the
contents view of the management interface makes use of these methods. When
the manage_main dtml is rendered, why doesn't Zope prompt for
authentication when manage_main attempts to access objectItems, for example?
I'm sure there is a very reasonable explanation, but it strikes me as odd.
Thanks.
James W. Howe mailto:jwh@allencreek.com
Allen Creek Software, Inc. pgpkey: http://ic.net/~jwh/pgpkey.html
Ann Arbor, MI 48103