[Zope] set accessrule

Chris McDonough chrism@zope.com
Fri, 22 Mar 2002 10:56:23 -0500 

There is a simple answer to this question, but I'm not sure you're going to
like it. ;-)  Don't solely use access rules for security.  Instead, use the
Zope security framework.  Protect the folder with a permission.

----- Original Message -----
From: <jbr@FIZ-Karlsruhe.DE>
To: <zope@zope.org>
Sent: Thursday, March 21, 2002 6:38 PM
Subject: Re: [Zope] set accessrule


> Hello,
>
> summary of set access rule with zope 2.5.0
>
> 1.) for a folder testfolder I have set "Set Access Rule" to python script
accessHB
>     to limit access
>
> 2.) as Chris McDonough has shown (thanks !)  accessHB is working  like:
>
>
>  > From chrism@zope.com Thu Mar 21 19:21 MET 2002
>  > Subject: Re: [Zope] set accessrule
>  > Date: Thu, 21 Mar 2002 13:26:28 -0500
>  >
>  > Hi,
>  >
>  > I wouldn't bother to try to pass in REQUEST (the caller for access
rules
>  > does not pass any arguments in to the script).  Instead, get the
REQUEST
>  > from context ala context.REQUEST.  I think the test tab populates
REQUEST
>  > for you via magic that doesn't happen when an access rule is called.
>  >
>  > Your script becomes:
>  >
>  >   -----------------------------------------
>  >   ## Script (Python) "accessruleHB"
>  >   ##bind container=container
>  >   ##bind context=context
>  >   ##bind namespace=
>  >   ##bind script=script
>  >   ##bind subpath=traverse_subpath
>  >   ##parameters=
>  >   ##title=
>  >
>  >   if context.REQUEST.SESSION.get('MySessionId') == None:
>  >       context.REQUEST.RESPONSE.redirect('/rootfolder')
>  >   -----------------------------------------
>  >
>
> But there is a security problem with  "Set Access Rule":
>
> Any user even the unauthorized  can get access to the folder (which
> is restricted by set accessrule)   if he adds _SUPPRESS_ACCESSRULE to the
url:
>
>    http: ... testfolder/_SUPPRESS_ACCESSRULE
>
> gives access to restricted folder testfolder.
>
> This may be a bug or has been done to get access in case of emergency, but
> it makes set accessrule (more or less) useless.
>
> What can I do to prevent Zope to give access by adding
_SUPPRESS_ACCESSRULE ?
>
> Do I have to modify the programmes which implement set access rule ?
> I even don't know where these programmes are located.
>
> With kind regards, Juergen Berger
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>