[Zope-DB] cannot secure DCOracle2 connection string?

Jim Abramson jabramson at wgen.net
Fri Sep 12 11:40:21 EDT 2003

Hello, I am perplexed by a security issue with DCO2 connections:

I'm trying to restrict access to the connection strings of certain database connections to all but a few of the developers with "manage" access to our Zope installations (using a locally-defined role). But it does not seem to be possible! 

If I restrict "View" and/or "Access Contents Information" on the containing folder...the connection_string of the dco2 connection can't be accessed - but of course, because the connection cannot be used either (nor anything else in the Folder). 

Meanwhile, restricting either "View" or "Access Contents Information" on the connection object itself seems to have no effect - that is, anyone with Manager can put a python script anywhere, find the dco2 connection object, read and print its connection_string.

Is this catch-22, or am I missing something? Is it impossible to have a DCOracle2 connection that can be used by Zope pages, without exposing the connection_string to anyone with ZMI access?

Thanks for any advice,

More information about the Zope-DB mailing list