[Zope] Security: allow manage_changeProperties globally
Oliver Bleutgen
myzope@gmx.net
Tue, 04 Feb 2003 17:13:40 +0100
Milos Prudek wrote:
> If "Manage properties" permission is allowed for Anonymous, is it a
> security breach?
>
> In other words, is it possible to put manage_changeProperties in a URL?
>
> I tried
> http://www.somewhere.com/somedocument/manage_changeProperties?title=xxx,
> it run successfully but title remained intact...
Maybe because manage_changeProperties tries to call
manage_propertiesForm (IIRC) if REQUEST is not none, which in turn
causes an exception and aborts the transaction?
If you do that as manager, you'll see that indeed is callable via the web.
> I need to increment a document property "number of readers". Is it safer
> to disable "Manage properties" for Anonymous and to assign Proxy role
> "Manager" to the method that calls manage_changeProperties and
> increments number of readers?
I'd say this is obvious, but you can even be more secure by
just creating a role with "Manage properties" permission, and assign
that as a proxy role...
HTH,
oliver