[Zope] Why I must set
security-property "Access contents information"
to get Data from Database?
Dieter Maurer
dieter at handshake.de
Fri Feb 11 14:17:38 EST 2005
Chris Withers wrote at 2005-2-11 11:59 +0000:
> ...
>Dieter Maurer wrote:
>> This would be the case, would ZPublisher use the standard traversal
>> procedure.
>> But, it fact, it does not do that. Instead, it traverses to
>> the URL addressed target disregarding any security restrictions,
>
>I'm afraid this is incorrect.
> ...
>Maybe you have some patches in place which affect this
In fact, I have patches in place -- but they do not change Zope
in this way ;-)
>, but a normal
>Zope server does not behave as you describe, and many people would be
>pretty disturbed if it did...
Then they should have a look at the code of
"ZPublisher.BaseRequest.BaseRequest.traverse"
This method is responsible for URL traversal.
They can easily recognize two parts of this function:
the traversal loop
authentication
During the traversal loop, there are no access checks (as I have said).
And this must be the case, as there is not yet any user!
"roles" are determined during traversal, usually for the last object traversed
to, unless this object does not have a "__roles__"
attribute (then for its parent, unless
it does not have a "__roles__" attribute either, and so on).
The authentication then looks for a userfolder that
is able to authenticate a user with the roles determined
during traversal.
That's all of the security checks performed during traversal.
In case, they are disturbed by this, then they have reasons indeed...
Does the stock Zope code look differently ;-)
--
Dieter
More information about the Zope
mailing list