[Zope] security issue!
Iago
iago@iago.net
Fri, 19 Apr 2002 09:18:10 -0700
The setting:
I have a folder (call it foo/bar), on which I've unchecked Acquire
Permissions Settings and checked Authenticated, so logins should be
enforced when attempting to access that folder.
In foo, I define the index_html method.
In foo/bar I have file.txt
The issue:
If I try to access foo/bar, I do not get authenticated -- it _seems_
to be going by the permissions govering foo/index_html, instead of
foo/bar (before accessing) foo/bar/index_html (and then, lacking
that, inheriting).
If I try to access foo/bar/file.txt, I get asked to authenticate.
This is wholly counterintuitive to someone who first did his
authenticating years ago using .htaccess files -- permissions on a
folder should affect attempts to acquire any resource within that
folder, *regardless* of whether that resource is inherited or not!
Is there a fix to this that doesn't involve the (less scalable)
notion of copying the index_html method from the top into this
directory?
Thanks
--
Fred Hicks <iago@iago.net>