[Zope] Re: restricting permissions for direct access only

Tres Seaver tseaver at palladion.com
Wed Feb 15 23:49:33 EST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Shulman wrote:
> On 2/15/06, Chris Withers <chris at simplistix.co.uk> wrote:
> 
>>>But... it's still not working for my real site.  I think the issue is
>>>this.  If script1 has proxy role Manager, and script2 has view
>>>permissions set only for Manager, then script1 can call script2, no
>>>problem.  But if script1 instead calls script3, which then calls
>>>script2, it doesn't work unless script3 *also* has proxy role Manager.
>>
>>Yes, this was a deliberate change made a few major releases ago. I've
>>never mich liked it myself for exactly the reason you describe. I wonder
>>if anyone who knows could point out why this change was made, I'm sure
>>the reasons were good...
> 
> 
> Even if the reasons were good, it would be nice to have an option to
> turn it on or off, even if the default is off.  At the very least, it
> would be nice if this fact were documented.  (Is it somewhere and I
> just missed it?)  It surprised me very much, and it would have
> surprised and frustrated me even more if I'd written a site which
> worked and then later on decided to split off the functionality of
> some private script into a secondary one, unsuspecting that it would
> break the proxy roles setup.

The prior behavior (allowing users to access protected resources "above"
the domain of their user folders) was a security hole caused by a bug,
and was never documented as allowable:  correcting it was a matter for a
rather urgent fix, as it broke the explicitly-documented model.

The fact that folks wrote applications which relied on the hole is
unfortunate;  breaking them is better than leaving the sites built
around the defined model vulnerable to abuse.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD9ARc+gerLs4ltQ4RAudoAKC8EWZfw5AibQ+s/xmwtrXo2r0hvACgsYMF
N+kPUlUZdjOYd9aL4pjfIaw=
=v8Ky
-----END PGP SIGNATURE-----

More information about the Zope mailing list