[Zope] major problems placing authentication on an extranet
site-security flaw?
Andreas Pakulat
apaku at gmx.de
Wed Feb 8 17:47:01 EST 2006
On 08.02.06 21:38:26, michael nt milne wrote:
> Of course I did. Why on earth would you be able to view a front page of a
> site when it is labelled as 'authenticated' and also as 'manager' ? just by
> pressing cancel or return a few times.
I just checked that with a plain Zope's index_html. I cannot view
localhost:8080/ when I change the security setting of index_html to
allow View only for authenticated. However I can view it when I
authenticate with the initial user information.
Now the same thing with a plone site, removed the view-right from
front_page I get a screen telling me to authenticate. Not the "box"
because Plone normally uses cookie-auth, you should be able to change
that in the UserFolder. If I use the initial-user with the
cookie-based-form I can see the plone site.
Then I removed the View right from the plone-site-object for anonymous
and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box,
giving it the initial-user-info it lets me view the front_page.
> Big security flaw I'm sorry.
I wonder why you are the only one experiencing this... Maybe because the
error is on your side (or sits in front of your monitor)? And not Zope.
> Also
> superuser passwords don't work when security is set up and I've tried this
> on a couple of set-ups. And this is apart from the usability.
What do you mean with superuser? There is no superuser, you have an
initial user but that's not a user you'd normally use to login. You add
new Users in the user-folder.
And what usability problem are you now talking about?
Andreas
--
Reply hazy, ask again later.
More information about the Zope
mailing list