[Zope] Re: Blocking Sibling inheritance
Chris Withers
chris at simplistix.co.uk
Thu Mar 3 10:08:57 EST 2005
Greg Fischer wrote:
> I have folder 1: /site/dev/customer1/folder/page
> And folder 1: /site/dev/customer2/folder1/folder2/page
>
> Eash customer level folder has acl_users with different/separate
> accounts. The security at the customer level folder is set to not
> acquire and no anonymous access. Now here is the problem I see, you
> type in your URL:
> someplace.com/site/dev/customer1/folder/page
>
> You are asked to authenticate. Then you change your url after
> authentication to:
> somplace.com/site/dev/customer1/folder/customer2/folder1/folder1/page
>
> And you get right in with no authentication! That should not be allowable.
Does that work if you simplify it to:
somplace.com/site/dev/customer1/customer2/folder1/folder2/page
?
Are you sure 'page' is the page from custoemr 2 and not the one from
customer 1?
Well, some possibilities:
- The user you logged in as comes from a "higher up" user folder, in
which case they'd be able to access either customer
- there's a serious security hole in zope ;-)
If you can reproduce it and are sure everthing is as it should be, boil
it down to the simplest possible case that reproduces the bug and chuck
it into the collector at:
http://www.zope.org/Collectors/Zope
...'cos it'll need urgent attention!
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list