[Zope] Determining permissions in a Product
Chris Withers
chrisw@nipltd.com
Fri, 20 Oct 2000 10:36:00 +0100
Michael Bernstein wrote:
>
> Chris Withers wrote:
> >
> > Incidnetally, I think this is a bit of a security hole. You shouldn't
> > get told what you're not allowed to see, especially if it's 'cos you got
> > your password wrong. If you see what I mean ;-)
>
> I see what you mean here, Chris, but wouldn't this come
> under the heading of a 'security through obscurity' hole?
> ie. you're saying that the system isn't obscure enough?
Not really... I'm saying it shouldn't tell you stuff you _never_ need to
know, like where on your file system the Zope files live.
A lot of this comes from standard_error_message not being used for
authorizaion errors, and Zope's insistence of tacking the traceback onto
error pages it returns, even in production mode :-S
Might have to have a look at this some time ;-)
cheers,
Chris