[Zope] Nasty subtle security bug - Me Too
Brad Clements
bkc@murkworks.com
Mon, 25 Sep 2000 15:23:33 -0400
On 25 Sep 2000, at 21:01, Martijn Faassen wrote:
> In Zope 2.2.2, the user cannot execute the external method E either.
> Instead, the calling DTML code raises a NameError, basically saying our
> external method does not exist.
> I'll also dump this description into the collector, but posted to the
> list because I like to complain. And who knows, perhaps someone else
> ran into the same.
I also get the same problem in a different way. I posted a note the other
day about Login Manager and ownership generating NameError.
I thought it was a Login Manager thing. The results are about the same,
I get a NameError accessing an External method from a DTML method
when the current user has been authenticated using a Login manager
protectec sub folder of the root.
My fix, strangely enough, was to change the ownershipp of the DTML
method that was making the call to the External Method. It was owned
(somehow) by a user from Login Manager, rather than from the root
acl_users folder.
Changing the ownership fixed the problem.
I didn't know who should look into this, Ty or DC, so I posted to the list.
Unfortunately it looks like no one has responded. I don't have the brains
to figure it out.
Brad Clements, bkc@murkworks.com (315)268-1000
http://www.murkworks.com (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com AOL-IM: BKClements