[Zope-CMF] Security problem in CMF
Shane Hathaway
shane@zope.com
Tue, 03 Jun 2003 16:41:08 -0400
Jeff Coleman wrote:
> Should objects in a skin folder IGNORE the security setting of the skin
> folder they are in?
> Considering how Zope security works with acquisition I think this is a
> BIG security problem.
We recognized this weakness when designing the skin machinery. So we
set a policy that everything in the skins tool is public, regardless of
security settings. Do not put anything that should be restricted in the
skins tool! Put your effort into protecting the objects being accessed,
not the skins.
In fact, this is the reason you can't use objects outside the skins tool
as skins. The system is fairly secure as long as you don't change this
policy.
Shane