[Zope] Security: allow manage_changeProperties globally

[Oliver Bleutgen]

Milos Prudek wrote:
> If "Manage properties" permission is allowed for Anonymous, is it a 
> security breach?
> 
> In other words, is it possible to put manage_changeProperties in a URL?
> 
> I tried 
> http://www.somewhere.com/somedocument/manage_changeProperties?title=xxx, 
> it run successfully but title remained intact...

Maybe because manage_changeProperties tries to call 
manage_propertiesForm (IIRC) if REQUEST is not none, which in turn 
causes an exception and aborts the transaction?
If you do that as manager, you'll see that indeed is callable via the web.

> I need to increment a document property "number of readers". Is it safer 
> to disable "Manage properties" for Anonymous and to assign Proxy role 
> "Manager" to the method that calls manage_changeProperties and 
> increments number of readers?

I'd say this is obvious, but you can even be more secure by
just creating a role with "Manage properties" permission, and assign 
that as a proxy role...


HTH,
oliver