[Zope] Weird problem with permissions

Dennis Allison allison at sumeru.stanford.EDU
Sun Oct 5 14:39:47 EDT 2003


Not that I am aware o.

On Sun, 5 Oct 2003, Florian Lindner wrote:

> > Well, some users feel that giving anonymous users the right to send mail
> > is not a good ides (-:   Looks like you have this problem resolved!
> 
> Is there any way to send emails with the Mailhost except via Scripts?
> 
> >
> > On Sun, 5 Oct 2003, Florian Lindner wrote:
> >
> >> Hello,
> >> I've tracked it down:
> >>
> >> msg = context.confirm_subscription.absolute_url() + "?ID=" + str(rnd)
> >>
> >> context.MailHost.simple_send(REQUEST.email, "webmaster at centershock.net",
> >> "centershocknet: confirmation required", msg)  <--
> >>
> >> If I uncomment the marked line, it works (the msg=... line is only for a
> >> better understanding).
> >> When I enable
> >>    Use mailhost services
> >> for anonymous it works! What are the (dangerous) implications of this
> >> permission? Why is it not enabled by default?
> >> Thanks,
> >> Florian
> >>
> >> Dennis Allison wrote:
> >> > Which Zope are you running.  I'd install Shane's Verbose Security
> >> Product
> >> > and use it to track down the protection failure.   No protection
> >> problem
> >> > jumps out at me from your precis code.
> >> >
> >> > On Sun, 5 Oct 2003, Florian Lindner wrote:
> >> >
> >> >
> >> >>Dennis Allison wrote:
> >> >>
> >> >>>What does the form action do?
> >> >>
> >> >>Is sends the form date with post to a script:
> >> >>
> >> >>   <form action="generatePending" method="post">
> >> >>
> >> >>The script does some checks one the input data:
> >> >>
> >> >>   if REQUEST.name == '':
> >> >>
> >> >>and calls some SQL-Methods
> >> >>
> >> >>   context.addPendingUser(ID=rnd, name=REQUEST.name,
> >> email=REQUEST.email)
> >> >>
> >> >>At the end it redirects to a confirmation page:
> >> >>
> >> >>   RESPONSE.redirect(context['conf_required.zpt'].absolute_url())
> >> >>
> >> >>That's about all.
> >> >>
> >> >>All permissions of all involved objects are set to "Acquired".
> >> >>
> >> >>Thanks,
> >> >>Florian
> >> >>
> >> >>
> >> >>
> >> >>>On Sun, 5 Oct 2003, Florian Lindner wrote:
> >> >>>
> >> >>>
> >> >>>
> >> >>>>Dennis Allison wrote:
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>>Look at the security sessions of the root folder from which
> >> acquired
> >> >>>>>permissions are derived.  I suspect that anonymous users don't have
> >> the
> >> >>>>>necessary permissions.
> >> >>>>
> >> >>>>All permission are set to Manager, except these, which additionally
> >> have
> >> >>>>Anonymous set:
> >> >>>>
> >> >>>>Access Transient Objects
> >> >>>>Access contents information
> >> >>>>Access session data
> >> >>>>Copy or Move (why is this granted to Anons?)
> >> >>>>Query Vocabulary
> >> >>>>Search ZCatalog
> >> >>>>Use Database Methods
> >> >>>>View
> >> >>>>WebDAV access
> >> >>>>
> >> >>>>What is wrong/misses?
> >> >>>>
> >> >>>>Is there anywhere and explantion of what all these permission mean?
> >> >>>>
> >> >>>>Thanks,
> >> >>>>Florian
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>>On Sun, 5 Oct 2003, Florian Lindner wrote:
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>>Hello,
> >> >>>>>>I've just discovered a strange thing with my (test-)site. I don't
> >> know
> >> >>>>>>if it was from the beginning, or if I changed something.
> >> >>>>>>I'm using CookieCrumbler for authentication. I'm not logged in
> >> >>>>>>(Anonymous User).
> >> >>>>>>I've a page template with a form. The action attribute of the form
> >> >>>>>>refers to python-script-object. But if I submit the script I'm
> >> >>>>>>redirected to the login-page (the page set in cookie-crumber).
> >> Obviously
> >> >>>>>>a anon user doesn't have permissions to execute the script. All
> >> >>>>>>permissions are set to acquire, in the objects and in the upper
> >> folders.
> >> >>>>>>Is this normal? Which permissions do I have to set?
> >> >>>>>>The same behavior I've with a page template which just calls a
> >> >>>>>>SQL-method and displays (tal:repeat) the results. I've changed no
> >> >>>>>>security permissions.
> >> >>>>>>Everything works when I'm logged in with a user.
> >> >>>>>>What is wrong?
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>
> >> >
> >>
> >>
> >
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 




More information about the Zope mailing list