[Zope] permissions broken?
Courrier
xavier.damay@netcourrier.com
Fri, 9 Nov 2001 15:11:56 +0100
This is a multi-part message in MIME format.
------=_NextPart_000_0010_01C16930.DF3BCEF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
hello,
I've tried what you said
when "standard_html_header" and "standard_html_footer" are owned by "dev",
it work with "Access contents information" permission set for manager role.
I think, it's because of aquisition of DTML Method owned by root.
Am i right ?
I new to Zope, and I want to learn a lot about security.
If you have exercices like this one, i appreciate it.
(i need also grammar correction, isn't it ;)
Xavier
Today I tried on my Zope Zope 2.3.2 (source release, python 1.5.2, linux2)
what I did a hundred times succesfully before:
1. created a folder "production"
2. set not to acquire the "View" permission for this folder
3. created a role "developer"
4. created a user "dev" with role developer
5. changed security settings so that developers can "View"
6. created two dtml-methods "standard_html_header" and
"standad_html_footer"
inside the new folder
7. logged in as dev and got the error message:
Unauthorized
You are not authorized to access standard_html_header
Strange enough, this only occurs with standard_html_header and
standard_html_footer.
I also created a dtml-method called index_html and could see it.
------=_NextPart_000_0010_01C16930.DF3BCEF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD>
<BODY><FONT face=3DArial size=3D2><FONT size=3D2>
<P align=3Dleft>hello,</P>
<P align=3Dleft>I've tried what you said </P>
<P align=3Dleft>when "standard_html_header" and "standard_html_footer" =
are owned=20
by "dev",</P>
<P align=3Dleft>it work with "Access contents information" permission =
set for=20
manager role.</P>
<P align=3Dleft>I think, it's because of aquisition of DTML Method owned =
by=20
root.</P>
<P align=3Dleft>Am i right ?</P>
<P align=3Dleft>I new to Zope, and I want to learn a lot about security. =
</P>
<P align=3Dleft>If you have exercices like this one, i appreciate =
it.</P>
<P align=3Dleft>(i need also grammar correction, isn't it ;)</P>
<P align=3Dleft>Xavier</P>
<P align=3Dleft> </P>
<P align=3Dleft>Today I tried on my Zope Zope 2.3.2 (source release, =
python 1.5.2,=20
linux2)</P>
<P align=3Dleft>what I did a hundred times succesfully before:</P>
<P align=3Dleft>1. created a folder "production"</P>
<P align=3Dleft>2. set not to acquire the "View" permission for this =
folder</P>
<P align=3Dleft>3. created a role "developer"</P>
<P align=3Dleft>4. created a user "dev" with role developer</P>
<P align=3Dleft>5. changed security settings so that developers can =
"View"</P>
<P align=3Dleft>6. created two dtml-methods "standard_html_header" =
and</P>
<P align=3Dleft>"standad_html_footer"</P>
<P align=3Dleft>inside the new folder</P>
<P align=3Dleft>7. logged in as dev and got the error message:</P>
<P align=3Dleft>Unauthorized</P>
<P align=3Dleft>You are not authorized to access =
standard_html_header</P>
<P align=3Dleft>Strange enough, this only occurs with =
standard_html_header and</P>
<P align=3Dleft>standard_html_footer.</P>
<P align=3Dleft>I also created a dtml-method called index_html and could =
see=20
it.</P>
<P align=3Dleft> </P></FONT></FONT></BODY></HTML>
------=_NextPart_000_0010_01C16930.DF3BCEF0--