[Zope] security issue!

Steve Spicklemire steve@spvi.com
Mon, 22 Apr 2002 20:27:21 -0500


On Friday, April 19, 2002, at 11:18 AM, Iago wrote:

>   The setting:
>
>     I have a folder (call it foo/bar), on which I've unchecked Acquire
>     Permissions Settings and checked Authenticated, so logins should be
>     enforced when attempting to access that folder.
>

For what permissions did you do this? Try "access contents information". 
Then Zope won't be able to tell if it can acquire index_html or not 
before authenticating.. ..

-steve

>     In foo, I define the index_html method.
>
>     In foo/bar I have file.txt
>
>   The issue:
>
>     If I try to access foo/bar, I do not get authenticated -- it _seems_
>     to be going by the permissions govering foo/index_html, instead of
>     foo/bar (before accessing) foo/bar/index_html (and then, lacking
>     that, inheriting).
>
>     If I try to access foo/bar/file.txt, I get asked to authenticate.
>
>     This is wholly counterintuitive to someone who first did his
>     authenticating years ago using .htaccess files -- permissions on a
>     folder should affect attempts to acquire any resource within that
>     folder, *regardless* of whether that resource is inherited or not!
>
>     Is there a fix to this that doesn't involve the (less scalable)
>     notion of copying the index_html method from the top into this
>     directory?
>
> Thanks
>
> --
> Fred Hicks <iago@iago.net>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )