[Zope] Quick Security Question (Anonymous "Add Documents, Images, and Files")

Adam Warner lists@consulting.net.nz
09 Nov 2001 01:57:40 +1300


--=-yI0x55GyYcobrIdHD0uv
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi all,

I have a python script that does a manage_addFile (it generates a cached
version of a converted file the first time the page is viewed). To allow
anon users to access the page itself I've had to allow anon "Add
Documents, Images, and Files" in the root folder security. I've disabled
it again while I await confirmation.

These are the only options available to me in the python script's
security settings:

Access contents information
Change Python Scripts
Change bindings
Change cache settings
Change permissions
Change proxy roles
Delete objects
Manage WebDAV Locks
Manage properties
Take ownership
Undo changes
View
View History
View management screens
WebDAV Lock items
WebDAV Unlock items
WebDAV access

My question is: Does enabling website wide anonymous "Add Documents,
Images, and Files" mean users will be able to upload files, etc.
indiscriminately? Or does it just mean anon user-initiated scripts and
forms that generate files will work?

Thanks,
Adam

--=-yI0x55GyYcobrIdHD0uv
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/0.15.0">
</HEAD>
<BODY>Hi all,<br>
<br>
I have a python script that does a manage_addFile (it generates a cached version of a converted file the first time the page is viewed). To allow anon users to access the page itself I've had to allow anon &quot;Add Documents, Images, and Files&quot; in the root folder security. I've disabled it again while I await confirmation.<br>
<br>
These are the only options available to me in the python script's security settings:<br>
<br>
Access contents information<br>
Change Python Scripts<br>
Change bindings<br>
Change cache settings<br>
Change permissions<br>
Change proxy roles<br>
Delete objects<br>
Manage WebDAV Locks<br>
Manage properties<br>
Take ownership<br>
Undo changes<br>
View<br>
View History<br>
View management screens<br>
WebDAV Lock items<br>
WebDAV Unlock items<br>
WebDAV access<br>
<br>
My question is: Does enabling website wide anonymous &quot;Add Documents, Images, and Files&quot; mean users will be able to upload files, etc. indiscriminately? Or does it just mean anon user-initiated scripts and forms that generate files will work?<br>
<br>
Thanks,<br>
Adam</BODY>
</HTML>

--=-yI0x55GyYcobrIdHD0uv--