[Zope] calling scripts from scripts and permission

massimop at users.berlios.de massimop at users.berlios.de
Thu Nov 25 14:18:19 EST 2004


Il giorno gio, 25-11-2004 alle 20:02 +0100, Robert Rottermann ha
scritto:
> Massimo,
> there are two things to consider.
> The rights of the first script which is manager and should therefore be 
> enough for what ever you want to do.
> BUT:
> the maximum rights it can acquire when running the second script are the 
> ones the owner of that script has.
> To avoid cross scripting attacks a script will always run with the 
> rights of the script owner.
> Otherwise you could try to trick some manager to execute a malicious 
> script you do not have enough credentials to run.
> 
> Robert
> 

thanks for your answer

unfortunately both the scripts are owned by Manager...

still no clue


thanks
massimo




More information about the Zope mailing list