[Zope] Authentication problem with owner_info
Nicolas Évrard
nicoe@altern.org
Wed, 19 Mar 2003 02:26:23 +0100
* Dieter Maurer [21:22 18/03/03 CET]:
>Nicolas Évrard wrote at 2003-3-17 22:22 +0100:
> > ...
> > And if you have a reason why access to the owner of an object is not
> > visible unless I use a proxied script I would really be glad to read =
it.
>
>It is protected by a permission.
>
>And as with all permissions, you must either grant them to
>the users that need them or you have a special script with
>a proxie role.
Ok with that ...
>I do not argue whether the set of methods protected by
>the one protecting protecting "owner_info" is senseful.
>It heavily depends on the application domain, in general.
Well don't really see how the information about who is the owner of an
object or so might be a security breach. I'm not a security guru so I
can hardly imagine how to trick the Zope Security System with such
informations.
>And it is not worth to argue about it, as you always can
>use the proxie role approach.
Yup, but I was wondering how did this protection came out ... Because
even if the script is really simple I see it as a "setuid root script"
and I don't like having those kind of things hanging around in my system
if they are not *really* unavoidable.
Because, for exemple if I need to access this kind of information in a
fairly complicated script, there may be some security issues I don't
check and the script will be proxied => A potential security breach ?
Anyway thank you for your answer.
--
(°> Nicolas Évrard
/ ) Liège - Belgique
^^