[Zope] Obscure security?

Ragnar Beer rbeer@q-ality.de
Thu, 22 Nov 2001 15:11:17 +0100


Thanks a lot! I was trying to grep 'Access_contents_information' and 
didn't find a lot. Now I know that anyone can e.g. access 
propertyItems which is quite a bad thing in this case :(

Ragnar


>Ragnar Beer wrote:
>
>>  Howdy!
>>  I spent some time searching the documentation for an explanation 
>>of the "Access_contents_information" permission but didn't find 
>>anything. I think this is vital information for any Zope admin and 
>>should be easy to find. How can I set up permissions when I can't 
>>find out exactly what permissions I'm actually granting?
>>  I'm (once again) in the situation where an authenticated user 
>>cannot access an object unless the "Anonymous" role is given the 
>>permission to "Access_contents_information" (the role of the 
>>authenticated user has that permission). This reminds me of the old 
>>non-root Squisdot bug, but I can't solve it by upgrading Zope this 
>>time, because I already installed 2.4.3. On the other hand I can't 
>>find out what kind of holes I'm opening by giving this permission 
>>to "Anonymous".
>>  What can I do?
>
>
>You can
>
>find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print
>
>./AccessControl/Permissions.py
>./HelpSys/HelpSys.py
>./HelpSys/HelpTopic.py
>./OFS/Cache.py
>./OFS/ObjectManager.py
>./OFS/PropertyManager.py
>./OFS/PropertySheets.py
>./OFS/ZDOM.py
>./Products/OFSP/help/ObjectManager.py
>./Products/OFSP/help/PropertyManager.py
>./Products/OFSP/help/PropertySheet.py
>./ZClasses/Property.py
>./webdav/Resource.py
>
>
>(this is zope 2.3.3)
>The relevant files should be everything under OFS/
>esp. ObjectManager.py And Property*.py
>and the zope help->API Documentation which contains
>help for the above mentioned classes (including permissions).
>
>cheers,
>olver
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
>http://lists.zope.org/mailman/listinfo/zope-dev )