[Zope] Obscure security?

Ragnar Beer rbeer@q-ality.de
Fri, 23 Nov 2001 11:29:18 +0100


I'm afraid that info is also far too dynamic to be kept up to date. I 
can imagine two solutions:

1. A 'deny everything that isn't explicitly allowed' policy. One 
could tell Apache to allow requests only for objects containing a 
certain string, e.g. '_html'. This way propertyItems and so on 
wouldn't be accessible. This method would certainly require a lot of 
planning beforehand.

2. I always dreamt about a tool that in a first step (accessing ZODB 
directly) walks down the object tree and collects whatever is 
potentially accessible and then in a second step tries to access the 
collected items via http and displays the results (i.e. the URL of 
the accessible stuff). This way it would be easy to find out what 
happens when you change permissions.

Ragnar


>Ragnar Beer writes:
>  > I spent some time searching the documentation for an explanation of
>  > the "Access_contents_information" permission but didn't find
>  > anything. I think this is vital information for any Zope admin and
>  > should be easy to find. How can I set up permissions when I can't
>  > find out exactly what permissions I'm actually granting?
>While I understand your wish, it probably is not that easy.
>I expect, that there was not a precise design behind the security
>declarations. Instead, there were probably an initial set
>of permissions, "View", "Access contents information", ...
>with nothing more than the informal meaning expressed by the
>english words describing the permission (not too bad...).
>For me, this informal use has been sufficient so far.
>
>When you really want to learn about all details, then you
>may use a tool to find all occurrences of "Access contents information"
>in the Zope sources (I work under Unix and would use "find" together
>with "fgrep").
>As you are convinced, that this information is vital for
>Zope users, you may collect it and donate it as an appendix
>to the ZDG (Zope's developper guide).
>
>When we all behave this way, the Zope communities strength will
>grow fast....
>
>
>Dieter