[Zope-CMF] Security problems

Florent Guillaume fg@nuxeo.com
Sat, 1 Jun 2002 17:55:32 +0000 (UTC)


Private means that no restricted code (i.e., DTML, ZPT or Python
Script) can call it.

Restricted means that it's protected by a given permission that the caller
must have (through its roles).

I have one possible explanation for the behavior you observed: the
first DTML method was created ("Owner" tab) by someone who since lost
his Manager role or his account. Keep in mind that the roles available
to a restricted method that is executing is the *intersection* of the
roles of the owner of the method and those of the current user.

Florent


Kevin Carlson <khcarlso@bellsouth.net> wrote:
> Well, the problem is fixed but it seems an awful lot like magic.  The
> function in question, getMemberByID, was being called by a DTML method and
> was failing in a DTML method called by the first method.  In a last,
> desperate attempt, I created a copy of the second method, deleted the
> original and renamed the new copy to match the original method name.   Just
> as quickly as things had stopped working, they started working again.
> 
> My question to the list is this:  Could this type of behavior be caused by a
> corrupted object in the ZODB?  If so, can anyone hazard a guess at how this
> type of corruption occurs?
> 
> Thanks,
> 
> Kevin
> 
> -----Original Message-----
> From: zope-cmf-admin@zope.org [mailto:zope-cmf-admin@zope.org]On Behalf
> Of Kevin Carlson
> Sent: Thursday, May 30, 2002 4:57 PM
> To: zope-cmf group
> Subject: [Zope-CMF] Security problems
> 
> 
> All of sudden, I am having problems accessing the function getMemberById in
> the portal_membership tool.  I noticed in the source code that it is
> declared as protected.  Can someone explain what the difference is between
> protected and private in the Zope sense?  Does one allow access from DTML /
> ZPT and the other doesn't?
> 
> Thanks,
> 
> Kevin
> 
> 
> 
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
> 
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
> requests
> 
> 
> 
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
> 
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature requests
> 


-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com