[Zope] Obscure security?
Ragnar Beer
rbeer@q-ality.de
Thu, 22 Nov 2001 16:56:14 +0100
Hmm, at the time of Zope 2.1 I added a deny rule to my httpd.conf so
that objectIds wasn't accessible any more. I alway kept that rule -
just in case. And maybe I should also add some other deny rules...
But I think you're right: accessing propertyItems and stuff should be
forbidden by Zope.
Cheers,
Ragnar
>Ragnar Beer wrote:
>
>> Thanks a lot! I was trying to grep 'Access_contents_information'
>>and didn't find a lot. Now I know that anyone can e.g. access
>>propertyItems which is quite a bad thing in this case :(
>> Ragnar
>
>Yes, you're right.
>One thing to note is that there is another security measure. In old
>zopes (<= 2.1.6 IIRC) it was for instance possible to go to
>http://zopeserver/objectIds
>to get that list, which doesn't work nowadays, although anonymous
>has "Access contents information" rights.
>I wonder why propertyItems doesn't do the same.
>
>cheers,
>oliver