[Zope] Re: [Zope-dev] possible security flaw? - and, request for a phone conference. conference.

Stuart 'Zen' Bishop zen@cs.rmit.edu.au
Thu, 8 Jun 2000 18:41:37 +1000 (EST)


On Wed, 7 Jun 2000, Jon Franz wrote:

> 	Basically, if a user with manager privileges to a folder changes
> their
> password to be empty, then anyone (from permitted domains) can access the
> management screen for that folder Without Logging On... Zope assumes that
> you are the user without the password and treats you as if you have those
> rights.

This is a feature, but I don't know if or where it is documented besides
the source code (which is a bug if it isn't I guess). The blank password 
feature is normally combined with the domain limitation feature to allow 
connections from a given network to automatically attach with various 
permissions (such as a trusted that pushes data into the ZODB - this 
method avoids having to keep a password in plaintext around on your 
filesystem).

-- 
Stuart Bishop                          Work: zen@cs.rmit.edu.au
Senior Systems Alchemist               Play: zen@shangri-la.dropbear.id.au
Computer Science, RMIT University