[Zope] Authentication problem with owner_info

Nicolas Évrard nicoe@altern.org
Wed, 19 Mar 2003 02:26:23 +0100


* Dieter Maurer  [21:22 18/03/03 CET]: 
>Nicolas Évrard wrote at 2003-3-17 22:22 +0100:
> > ...
> > And if you have a reason why access to the owner of an object is not
> > visible unless I use a proxied script I would really be glad to read =
it.
>
>It is protected by a permission.
>
>And as with all permissions, you must either grant them to
>the users that need them or you have a special script with
>a proxie role.

Ok with that ...

>I do not argue whether the set of methods protected by
>the one protecting protecting "owner_info" is senseful.
>It heavily depends on the application domain, in general.

Well don't really see how the information about who is the owner of an
object or so might be a security breach. I'm not a security guru so I
can hardly imagine how to trick the Zope Security System with such
informations.

>And it is not worth to argue about it, as you always can
>use the proxie role approach.

Yup, but I was wondering how did this protection came out ... Because
even if the script is really simple I see it as a "setuid root script"
and I don't like having those kind of things hanging around in my system
if they are not *really* unavoidable.

Because, for exemple if I need to access this kind of information in a
fairly complicated script, there may be some security issues I don't
check and the script will be proxied => A potential security breach ?

Anyway thank you for your answer.

-- 
(°>  Nicolas Évrard
/ )  Liège - Belgique
^^