[Zope-CMF] Security behavior question

Tres Seaver tseaver@zope.com
Fri, 14 Dec 2001 19:08:14 -0500 

Doyon, Jean-Francois wrote:

> Hello,
> 
> I just noticed a security behavior that surprised me.
> 
> Let's say I have an object I access by the URL:
> 
> http://localhost/path/to/my/object
> 
> Now let's say that object is marked "private" ...
> 
> If I try to access the URL above, I'll get redirected to the Log In page ...
> which is fine ...
> 
> If I try to access it with a /view , same thing happens, also fine ...
> 
> If howvever I try to access it using the component used to view (i.e. the
> "action" item of the "view" action) it WORKS! An anonymous user just managed
> to view a private item!
> 
> This is the default behavior, I haven't touched anything.
> 
> Is this right? How do I get around it? Do I have to build the security check
> into the DTML used to view the object? That seems starnge, shouldn't the
> security model "climb up the tree" and make sure the user (in this case
> anonymous) has the rights not onlt to the DTML template used to view the
> object, but the object itself?
> 
> Any help would be most appreciated,


I can't reproduce this behavior on any CMF sandbox (CVS head,
1.2, and older version from October, etc.)  Here is what I did:

   1. Created a new CMFSite, 'foobar'.

   2. As manager, created a Document, 'Baz', and edited it,
      leaving it in "Private" state.

   3. In a different browser, I navigated to each of these URLs:

      - http://localhost:9080/foobar/Baz

      - http://localhost:9080/foobar/Baz/view

      - http://localhost:9080/foobar/Baz/document_view

      All three redirected me to the login form.

Can you supply more details?  For instance, have you tweaked
any permissions on the CMFSite, or on any of its parent folders?
Have you customized the 'document_view' method, and could it have
proxy roles if so?  What versions of Zope and the CMF?  Could the
version you saw in the browser have been cached?

 
Tres.

-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com