[Zope-DB] cannot secure DCOracle2 connection string?

Matthew T. Kromer matt at zope.com
Fri Sep 12 12:35:07 EDT 2003

Jim Abramson wrote:

>Hello, I am perplexed by a security issue with DCO2 connections:
>I'm trying to restrict access to the connection strings of certain database connections to all but a few of the developers with "manage" access to our Zope installations (using a locally-defined role). But it does not seem to be possible! 
>If I restrict "View" and/or "Access Contents Information" on the containing folder...the connection_string of the dco2 connection can't be accessed - but of course, because the connection cannot be used either (nor anything else in the Folder). 
>Meanwhile, restricting either "View" or "Access Contents Information" on the connection object itself seems to have no effect - that is, anyone with Manager can put a python script anywhere, find the dco2 connection object, read and print its connection_string.
>Is this catch-22, or am I missing something? Is it impossible to have a DCOracle2 connection that can be used by Zope pages, without exposing the connection_string to anyone with ZMI access?
>Thanks for any advice,
>Zope-DB mailing list
>Zope-DB at zope.org

Hmm...  it's probably always been that way.   One way you could change 
that, I think is to do a global replace on "connection_string" with 
"_connection_string".  You might also be able to modify the DA.py file's 
Connection object to set something like connection_string__roles = 
('Manager,') to only allow managers to see the connection string.  I'm 
actually very rusty on that section of the code, I'm afraid.

Matt Kromer
Zope Corporation  http://www.zope.com/ 

More information about the Zope-DB mailing list