[Zope] security issue!
Steve Spicklemire
steve@spvi.com
Mon, 22 Apr 2002 20:27:21 -0500
On Friday, April 19, 2002, at 11:18 AM, Iago wrote:
> The setting:
>
> I have a folder (call it foo/bar), on which I've unchecked Acquire
> Permissions Settings and checked Authenticated, so logins should be
> enforced when attempting to access that folder.
>
For what permissions did you do this? Try "access contents information".
Then Zope won't be able to tell if it can acquire index_html or not
before authenticating.. ..
-steve
> In foo, I define the index_html method.
>
> In foo/bar I have file.txt
>
> The issue:
>
> If I try to access foo/bar, I do not get authenticated -- it _seems_
> to be going by the permissions govering foo/index_html, instead of
> foo/bar (before accessing) foo/bar/index_html (and then, lacking
> that, inheriting).
>
> If I try to access foo/bar/file.txt, I get asked to authenticate.
>
> This is wholly counterintuitive to someone who first did his
> authenticating years ago using .htaccess files -- permissions on a
> folder should affect attempts to acquire any resource within that
> folder, *regardless* of whether that resource is inherited or not!
>
> Is there a fix to this that doesn't involve the (less scalable)
> notion of copying the index_html method from the top into this
> directory?
>
> Thanks
>
> --
> Fred Hicks <iago@iago.net>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )