[Zope] Security problems with localFS and PCGI

Jim Sanford jsanford@atinucleus.com
Sat, 13 May 2000 00:04:45 -0500 

All access to this site is via authenticated https. There are no anonymous
users, and EVERY request for data is verified via a custom query against a
permissions table.

Jim
----- Original Message -----
From: "Alexandre A. Drummond Barroso" <alexandre@intelligenesis.net>
To: <zope@zope.org>
Sent: Friday, May 12, 2000 6:33 PM
Subject: [Zope] Security problems with localFS and PCGI


When Zope started as PCGI, it runs at the same user of the web server
process (I'm using a variant of Apache).

So for every file the web server has access, localFS product has access too.
But some areas of the web site are restrict area (must
be accessed with authentication certificates).

If a content manager user can create localFS objects into Zope, the restrict
content can be accessed.

Is there a way to configure Zope of localFS to limit access to files in file
system?

Thanks for any help.

Alexandre A. Drummond Barroso
Extranet Software Engineer
Intelligenesis Corp.

-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
Graham Chiu
Sent: Friday, May 12, 2000 6:25 PM
To: zope@zope.org
Subject: Re: [Zope] Saving a rendered DTML document with LocalFS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <00e201bfbc5b$c3a9e380$04fea8c0@sanwinmain>, Jim Sanford
<jsanford@atinucleus.com> writes
>These are sales/order tracking/forecasting reports. The reports are HTML
>tables and are easier to handle on the file system. They are kept for
>snapshot/historic purposes. (Mostly to have the "evidence" when the sales
>person changes his story to his manager.)

I have an E-commerce site.  The final order page with all items, prices
etc is saved to a database as an HTML file so that customers can go back
and look up previous orders from day zero.  This is also for historic
purposes.

- --
Regards,        Graham Chiu
gchiu<at>compkarori.co.nz
http://www.compkarori.co.nz/x.php?/Shopping

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBORvb4LTRdIWzaLpMEQJQZgCeIUTpsFYzxkploE76b26kag7qoXMAoNXd
hvYhPCEZ1bEZysxUFPOhKB9W
=148u
-----END PGP SIGNATURE-----

_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )