[Zope-DB] restricted zsql permissions: there must be an easier way!

Toni Vicens toni_vicens at terra.es
Fri Jul 23 03:50:03 EDT 2004


I'm completely sure, because if I change the restricted folder
permissions it works.

Anyway, I'm wondering if I'm not being a little paranoid with this
security issue. Could an authenticated site member really see others
addresses if I unprotect the restricted folder?

Toni.

On Thu, 2004-07-22 at 22:24, Dieter Maurer wrote:
> > ...
> > The ZPT code which generates the error is the following:
> > 
> > <div tal:define=3D"adresses python:container.sql.getAddresses()"
> > tal:repeat=3D"address addresses" tal:omit-tag=3D"">
> > <strong tal:content=3D"address/attribute1">First attribute in the
> > address</strong><br>
> > ...
> > </div>
> > 
> > being getAddresses() the script with manager/owner proxy role which
> > calls the ZSQL method in the restricted folder, and attribute1 one of
> > the fields returned by the ZSQL method.
> 
> 
> Are you sure that "attribute1" is returned as field from your
> Z SQL Method?
> 
> The returned objects (both the "Results" object
> as well as the individual "record"s objects) are
> public and can be accessed without restriction.
> 
> I see only one potential explanation:
> 
>   The "row" does not contain an "attribute1" attribute,
>   it therefore is acquired and access to this object
>   is not allowed.
> 



More information about the Zope-DB mailing list