[Zope] Obscure security?
Oliver Bleutgen
myzope@gmx.net
Thu, 22 Nov 2001 16:18:23 +0100
Ragnar Beer wrote:
> Thanks a lot! I was trying to grep 'Access_contents_information' and
> didn't find a lot. Now I know that anyone can e.g. access propertyItems
> which is quite a bad thing in this case :(
>
> Ragnar
Yes, you're right.
One thing to note is that there is another security measure. In old
zopes (<= 2.1.6 IIRC) it was for instance possible to go to
http://zopeserver/objectIds
to get that list, which doesn't work nowadays, although anonymous
has "Access contents information" rights.
I wonder why propertyItems doesn't do the same.
cheers,
oliver