[Zope] Using Access Rules
Jamie Heilman
jamie at audible.transient.net
Fri Apr 30 18:51:04 EDT 2004
Dennis Allison wrote:
> Suppose I have pages stored in a folder structure rooted at /foo. The
> view security permission on /foo/... requires an Authenticated User.
> Normally pages are served from /foo/... under programatic control and
> additional constraints are applied. But, if the user creates another
> browser window and if he/she knows the URL (or the root URL) they can
> move about /foo/... however they want by simply entering the URL into
> the browser. (This works because they are authenticated and the
> authentication is shared in the browser.)
So, why is that a problem? You can't stop that with access rules
anyway, you can't stop anything with access rules, users can choose to
disable them on a whim.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly,
she's not for you." She was cheap, she was stupid and she wouldn't
load -- well, not for me, anyway." -Holly
More information about the Zope
mailing list