[Zope] Re: Re: Blocking Sibling inheritance

Greg Fischer retheoff at gmail.com
Wed Mar 9 22:03:13 EST 2005 

Dieter,

It is possible, unless you take the "Authenticated" role off. (by
unchecking in security)  I thought as you did, it should not be
possible.

Here is bit from a previous post I did:
==========================

For example I have this folder structure:

/dev
/dev/test/dir1
/dev/test/dir2
/dev/1stbyte
/dev/1stbyte/folder1
/dev/1stbyte/folder2
/dev/tsport
/dev/tsport/db
/dev/tsport/db-01
/dev/tsport/db-02

--- Each of the lower subfolders (dir1, db, folder1 and 2) have their
own acl_users and user accounts ---

If I type in /dev/test/dir1  and consequently authenticate, I get in normally.

Then if I continue and change the url to:
/dev/test/dir1/dev/tsport/manage

I GET IN!  All I need to do is add a new user to
/dev/test/dir1/dev/tsport/db/acl_users (which I can access) and I've
got a user account!  That sucks!

==========================

This is not cool!  I did post a bug report, but havnt heard anything
yet.  Malcolms workaround works, you just need to remove
"Authenticated" role and add a custom one.  I'd like to test Dario's
solution, adding "non-acquiring" folders might be nice.  But really,
it should be fixed at the lowest level possible I would think.

Greg

On Wed, 9 Mar 2005 19:23:53 +0100, Dieter Maurer <dieter at handshake.de> wrote:
> Malcolm Cleaton wrote at 2005-3-9 10:59 +0000:
> >The issue can be worked around more easily than this. It is only the magic
> >"Authenticated" role which appears to suffer from this problem.
> 
> It should not be necessary:
> 
>    A user should not be able to access any *protected* (!) object
>    outside the subhierarchy governed by the user folder
>    that authenticated the user.
> 
> But maybe, we have a bug (and "aq_inContextOf" does not work
> as expected).
> 
> --
> Dieter
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 


-- 
Greg Fischer
1st Byte Solutions
http://www.1stbyte.com

More information about the Zope mailing list