[Zope] Basic Security question (resolved)
Small Business Services
toolkit at magma.ca
Thu Jun 3 08:06:59 EDT 2004
For the archives...
I was trying to set a proxy role on a dtml method to 'Authenticated' to
enable it to access image files in a subfolder which had its 'View'
permission set to authenticated.
eg.
Folder A
|
|-- Display method (proxy=authenticated)
|-- Data folder (view=authenticated)
|
|-- image file
I kept getting security access errors with this arrangement.
The reason was that the Display method used the html tag <img
src="DataFolder/imagefile">. The proxy role authenticated the Display
method (as expected), but the html <img> tag actually causes a second http
request to access the 'src' file, and this second http request is not
authenticated, thereby causing the security access error.
----- Original Message -----
From: "Jonathan Hobbs" <hobbs at magma.ca>
To: "Geir Bækholt" <lists at elvix.com>
Cc: "Zope mailinglist" <zope at zope.org>
Sent: May 27, 2004 4:15 PM
Subject: Re: [Zope] Basic Security question
> From: "Geir Bækholt" <lists at elvix.com>
> > On Thu, 27 May 2004 11:09:46 -0400 GMT
> > Jonathan Hobbs asked the Zope mailinglist about the following:
> >
> > > I thought I understood permissions and roles, but...
> >
> > > I have a folder ('Data') with the 'View' security role set to
> > > 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
> >
> > > When, as an 'anonymous' user, I try to access an object within the
> 'Data'
> > > folder the security popup window (enter your name/password) is
> displayed.
> > > This works as I expected it to.
> >
> > > I have created a dtml method called 'Display'. This test routine is
> > > hardcoded to display an object from the 'Data' folder. I have set the
> Proxy
> > > role for the Display method to "Authenticated". When, as an
'anonymous'
> > > user, I access the 'Display' method the security popup window
appears?!
> > > Shouldn't the Proxy role assigned to the dtml method enable access to
> the
> > > object in the folder?
> >
> > Is the 'Display'-method incidentally also located inside the Data
> > folder? If that is the case, anon is still not allowed to access it,
> > and proxy /no proxy will not matter.
>
> No, the 'Display' dtml method and the 'Data' folder are both objects in
the
> same, higher level folder
>
> ie.
>
> Folder A
> |
> |-- Display method
> |-- Data folder
> |
> |-- image file
>
> where 'image file' is the object that 'Display' method is trying to
access.
>
>
>
>
>
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
More information about the Zope
mailing list