[Zope-CMF] Security problem in CMF

Jeff Coleman jeff@hi-privacy.net
Wed, 4 Jun 2003 08:10:11 -0500


The .security does work on individual methods, but does not acquire
security settings.  This provides a weak form of securing application
logic in the skins, i.e. in normal Zope you secure a folder and every
thing below it is secure by default, in the skins you have to explicitly
set security on each object - forget 1 and your out of luck....

In it's current state, the security tab should be removed from all
'container' objects in the portal_skins tool...

Could the security acquisition be a setting in the portal?

Thanks,
Jeff

-----Original Message-----
From: Chris Withers [mailto:chrisw@nipltd.com]
Sent: Wednesday, June 04, 2003 2:30 AM
To: Shane Hathaway
Cc: Jeff Coleman; Zope-Cmf@Zope.Org (E-mail)
Subject: Re: [Zope-CMF] Security problem in CMF


Shane Hathaway wrote:
> Jeff Coleman wrote:
>=20
>> Should objects in a skin folder IGNORE the security setting of the
skin
>> folder they are in?
>> Considering how Zope security works with acquisition I think this is
a
>> BIG security problem.
>=20
> We recognized this weakness when designing the skin machinery.  So we=20
> set a policy that everything in the skins tool is public, regardless
of=20
> security settings.  Do not put anything that should be restricted in
the=20
> skins tool! =20

Hmmm, is this still true?

With the .security stuff for FSDV skins, you can now set security
properties on=20
individual skin methods.

This worked pretty well for me on a couple of projects and no-one
complained=20
when the code got merged into the core...

 > Put your effort into protecting the objects being accessed,
> not the skins.

Well, that's not always possible. Sometimes you want one view of an
object to be=20
anonymously accessible while another isn't...

cheers,

Chris