[Zope] Folder and SQL security

[Chris McDonough]

George,

Hi... please continue to respond to the list...

Did you clear the acquire permissions settings checkbox for all the
permissions in the "wholesale" folder?  Does it make any difference?

How are you testing this?  Are you sure that you aren't logged in as
"george" when you visit the wholesale folder?  (e.g. are you stopping
and restarting the browser to test this?)



> I am about one quarter through '6-1-Security.stx'. I printed 
> all 41 pages. I
> also printed the security chapter form the ZB so I am trying 
> to learn. It's
> just that at the moment I need a quick fix. Here is my case in detail:
> 
> My site is located in the folder 'okstudio'. The 'root' 
> folder also contains
> a user folder and me as the only user. I am the manager of 
> the site(and the
> superuser). Several subfolders under folder 'okstudio' 
> contain files that
> can be accessed by anyone. All subfolders except for one have the same
> security settings - 'view and access contents'. I also have 
> an sql method
> that I use with <in> and </in> to embed data from my database 
> in to HTML.
> The security settings of that method are - 'view, access contents
> information and use database methods'.
> There is one subfolder called 'wholesale' that should have restricted
> access. No viewing without authorisation. That folder will 
> contain info for
> customers only that should not be seen by anyone else. I 
> created a user
> subfolder in that folder where I listed myself as a 
> 'manager'. I also took
> every permission from 'anonymous' so theoretically 
> 'anonymous' should not be
> able to view the content of that folder. I also created 
> 'index_html' DTML
> document and took all the permissions from anonymous there. I 
> am still how
> ever able to view the index_html as anonymous without any 
> authorisation.
> My question is: Is there a way how to make sure that no one 
> unauthorised
> gets to see any of the contents of 'wholesale' folder???
> 
> Regards,
> 
> George
> 
> 
> > -----Original Message-----
> > From: Chris McDonough [mailto:chrism@digicool.com]
> > Sent: Tuesday, 5 September 2000 10:08
> > To: George Osvald
> > Cc: zope@zope.org
> > Subject: RE: [Zope] Folder and SQL security
> >
> >
> > On Tue, 5 Sep 2000, George Osvald wrote:
> >
> > > My sql works now and security is satisfactory so thank you. The
> > only thing
> > > that remains in question is that one subfolder. I created 
> a user folder
> > > inside, set all the security and it does not do what I 
> want. I want to
> > > restrict any access including viewing for nobody. Only
> > authorised customers
> > > would be able to view the page. After turning off all the
> > security options
> > > though I am still able to view the pages as nobody. How do I
> > prevent that?
> >
> > Do you have "acquire permissions" set on all the permissions of the
> > folder?  Have you tried turning it off?
> >
> > This may be a wild goose chase because I'm sort of guessing at your
> > problem.   Your message has generalizations like "that one 
> subfolder"
> > (what subfolder?  what are its settings?), "set all the security"
> > (how?), "does not do what I want" (what do you want?  exactly how
> > does it fail, can you give a concrete example?) and "the page" (what
> > page?).  It'd be helpful to define these, because as much 
> as I try, I
> > can't read minds.  :-)
> >
> > HTH,
> >
> > C
> >
> > > >
> > > > George wrote:
> > > > >
> > > > > Security in ZOPE is very puzzling. If I have certain rules
> > set for the
> > > > > root folder, can I set something different for the 
> sub folders?
> > > >
> > > > Sure... for general security information see both
> > > > http://www.zope.org/Members/michel/ZB (the Zope book 
> security chapter,
> > > > mostly finished) and 
http://www.zope.org/Members/mcdonc/PDG (security
> > > chapter mostly finished).
> > >
> > > > Any
> > > > changes seem to have no effect at all.
> > >
> > > can you be more specific?
> > >
> > > > I am especially wandering about
> > > > setting for anonymous user. I'd like to give them only 'viewing'
> > > > privilege but that does not work.
> > >
> > > How doesn't it work?
> > >
> > > > The site is not functional at all and
> > > > asks for the password even for the viewing. Then I enable
> 'access the
> > > > content' and the site works as long as I do not try to use sql.
> > >
> > > Yes, "access contents information" is equivalent to allowing
> the user to
> > > list the objects in an object manager.  It's given to anonymous by
> > > default most of the time, and is probably required for most
> operations.
> > >
> > > > When I
> > > > how ever enable 'use sql methods' permission they can access my
> > > > database, delete and add entries to it.
> > >
> > > This should have nothing to do with 'access contents information'.
> > > There should be permissions available to restrict the use of sql
> > > methods.  Have you seen them?
> > >
> > > > What do I have to do to allow
> > > > anonymous viewers to just view the site
> > >
> > > Give them "view" and "access contents information" permissions.
> > > Depending on the products you've got installed and the operations
you
> > > want the users to be able to carry out, you may need to give
> them other
> > > permissions.
> > >
> > > > (keep in mind that I am using a
> > > > couple of zsql methods for embedding of data in my html) I
> also want to
> > > > have one of the sub folders not accessible to any one but me.
> > > > Can you help anyone?
> > > >
>
> Chris McDonough
> Digital Creations, Publishers of Zope
> http://www.zope.org
>
>