[Zope] Re: security (edit) problem for ttwtypes
David Vogel
vogel at glue.ch
Wed Jan 14 10:13:22 EST 2004
I finally have the solution!!
after trying everything on workflows and debbuging for hours here is the
simple solution:
we have to edit the file: '../Products/TTWTYPE/ttwobject.py'in the
Products directory and add a security declaration:
old code:
<snip>
def edit(self, **kwargs):
""" update object data """
keys=kwargs.keys()
for field in self.fieldNames():
if field in keys:
self.store(field,kwargs[field])
# set Title if `title` in keys: self.title=kwargs[`title`]
self.reindexObject()
</snip>
new code:
<snip>
security.declareProtected( CMFCorePermissions.ModifyPortalContent, `edit` )
def edit(self, **kwargs):
""" update object data """
keys=kwargs.keys()
for field in self.fieldNames():
if field in keys:
self.store(field,kwargs[field])
# set Title if `title` in keys: self.title=kwargs[`title`]
self.reindexObject()
</snip>
there are also other security declaration missing for the other fucntions...
cheers,
david.
vogel at glue.ch wrote:
> I discovered a security problem in my plone/zope installation for every
> ttw-type.
> environment:
> - plone version 1.0.5
> - os: windows 2000
> - installed products: ttwtype, zopexmlmethods
> - created ttwtype 'ttwTypnamesFoo' in folder /myPloneFolder
>
> 1) at the root folder of my plone instance, I created a role A with
> permissions:
> a) Access session data und
> b) Access Transient Objects
> 2) I created user 01 with role A
>
>
> - correct: the user 01 never gets to see the tab with the edit-action
> - that's why on points 3) and 4) the access to the edit-form is done by
> typing the url directly in the url-field of the browser.
>
>
> 3) correct:
> - if user 01 wants to edit an object of type document (e.g.
> /Plone/index_html), the edit-form will be shown, but the user cannot
> save it. (-> msg: you are not allowed....)
> - url was: http://........../Plone/index_html/portal_form/document_edit_form
>
> 4) problem:
> - if user 01 wants to edit an object of a ttwtype (e.g.
> /myPloneFolderttwTypnamesFoo), the edit-form will be shown, and the user
> is ALLOWED to save it!!
> - url was:
> http://......./myPloneFolder/ttwTypnamesFoo/portal_form/ttw_edit_form
>
>
> any ideas how I can restrict the edit-and-save-access to my ttwtype objects?
>
>
>
> thanks for every input,
> david.
>
>
More information about the Zope
mailing list