[Zope] How to change Unauthorized error message?

Chris Withers fresh@bay-c.co.uk
Thu, 28 Sep 2000 20:56:28 +0100


Andy McKay wrote:
> Well if an anonymous user was allowed access to none of your site except
> standard_error_message that would sound like a security hole some person
> with a warped mind on these issues could use.

I don't think so... the site designer just has to remember that object
is anonymously viewable, as with any other anonymously viewable object.
If it's not anonymously viewable, fair enough, throw the hard coded
error _saying_ standard_error_message wasn't viewable by anonymous...

...besides, telling them the path where Zope is installed on your
server, which the error message does, is probably a much worse security
'hole'.

I don't like the way Zope does this for _all_ standard_html_error's,
especially as it tacks the error on the end of the HTML in production
mode, thus generating technically incorrect HTML (I think? ;-)

cheers,

Chris