[Zope] REMOTE_USER Security Issue
Dieter Maurer
dieter at handshake.de
Mon May 22 17:45:16 EDT 2006
Cliff Ford wrote at 2006-5-14 23:39 +0100:
> ...
>My problem is that I figured out how a user who has permission to create
>python scripts (might work with dtml and page templates too) could
>access otherwise forbidden content by making calls that pretend to come
>from another user. Has any one else come across this problem and devised
>a solution, either in software or organisation?
>
>Problem verified with Zope 2.9.2 and latest RemoteUserFolder.
That surprises my -- unless the user can create "AccessRule"s:
Usually, authentication is performed before any
PythonScript is executed.
I know only one exception: "AccessRule"s
--
Dieter
More information about the Zope
mailing list