[Zope] How to change Unauthorized error message?

Andy McKay andym@ActiveState.com
Thu, 28 Sep 2000 13:05:34 -0700


> Andy McKay wrote:
> > Well if an anonymous user was allowed access to none of your site except
> > standard_error_message that would sound like a security hole some person
> > with a warped mind on these issues could use.
>
> I don't think so... the site designer just has to remember that object
> is anonymously viewable, as with any other anonymously viewable object.
> If it's not anonymously viewable, fair enough, throw the hard coded
> error _saying_ standard_error_message wasn't viewable by anonymous...

Sure I suppose. How of course to implement this is another issue, as errors
get thrown up to /lib/python/ZPublisher/HTTPResponse.py and it would be get
to trap them before then.

But Im just coming off your last suggestion regarding exporting folders with
no subobjects and dont want to dive back into Zope internals until my brain
has stopped hurting :)

> ...besides, telling them the path where Zope is installed on your
> server, which the error message does, is probably a much worse security
> 'hole'.
>
> I don't like the way Zope does this for _all_ standard_html_error's,
> especially as it tacks the error on the end of the HTML in production
> mode, thus generating technically incorrect HTML (I think? ;-)

Absolutely, not just that its incorrect HTML, but also that it can expose
implementation issues such as oh that site GUF, I know a hole there...

> cheers,
>
> Chris
>