[Zope] Obscure security?
Ragnar Beer
rbeer@q-ality.de
Thu, 22 Nov 2001 15:11:17 +0100
Thanks a lot! I was trying to grep 'Access_contents_information' and
didn't find a lot. Now I know that anyone can e.g. access
propertyItems which is quite a bad thing in this case :(
Ragnar
>Ragnar Beer wrote:
>
>> Howdy!
>> I spent some time searching the documentation for an explanation
>>of the "Access_contents_information" permission but didn't find
>>anything. I think this is vital information for any Zope admin and
>>should be easy to find. How can I set up permissions when I can't
>>find out exactly what permissions I'm actually granting?
>> I'm (once again) in the situation where an authenticated user
>>cannot access an object unless the "Anonymous" role is given the
>>permission to "Access_contents_information" (the role of the
>>authenticated user has that permission). This reminds me of the old
>>non-root Squisdot bug, but I can't solve it by upgrading Zope this
>>time, because I already installed 2.4.3. On the other hand I can't
>>find out what kind of holes I'm opening by giving this permission
>>to "Anonymous".
>> What can I do?
>
>
>You can
>
>find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print
>
>./AccessControl/Permissions.py
>./HelpSys/HelpSys.py
>./HelpSys/HelpTopic.py
>./OFS/Cache.py
>./OFS/ObjectManager.py
>./OFS/PropertyManager.py
>./OFS/PropertySheets.py
>./OFS/ZDOM.py
>./Products/OFSP/help/ObjectManager.py
>./Products/OFSP/help/PropertyManager.py
>./Products/OFSP/help/PropertySheet.py
>./ZClasses/Property.py
>./webdav/Resource.py
>
>
>(this is zope 2.3.3)
>The relevant files should be everything under OFS/
>esp. ObjectManager.py And Property*.py
>and the zope help->API Documentation which contains
>help for the above mentioned classes (including permissions).
>
>cheers,
>olver
>
>
>_______________________________________________
>Zope maillist - Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>** No cross posts or HTML encoding! **
>(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
>http://lists.zope.org/mailman/listinfo/zope-dev )