[Zope] Re: major problems placing authentication on an extranet
site-security flaw?
Michael Vartanyan
pycry at doli.biz
Tue Feb 14 17:49:12 EST 2006
I agree. A little bit of a problem is that both Zope 2 Book and the ZMI
do not seem to agree. I guess was/is not the practice that Zope 2
developers endorsed/followed. But "Zope2 is beyond help" (C) Chris M.,
(taken out of context by me :-))
Florent Guillaume wrote:
>
>
> Michael Vartanyan wrote:
>
>>
>> I guess changing the form method to GET is not going to be liked by
>> browsers that put additional restrictions on URL length. So I would
>> propose to introduce a basic request sanity check in the
>> manage_changePermissions itself. I cannot think of any use for
>> resetting all permissions and acquisition for everyone, so the
>> easiest way to do that is to simply check that at least something
>> exists in the form:
>
>
> Actually the proper way to do it, and for exactly the reasons you
> outlined above, is to always do a redirect to a "result page" url
> after a POST that has side effects. It's even mandated by the
> HTTP/HTML specs.
>
> Florent
>
>
More information about the Zope
mailing list