[Zope-dev] Security Question

Danny William Adair danny@adair.net
Wed, 28 Nov 2001 21:30:33 +1300


On Saturday 24 November 2001 01:40, Andre Schubert wrote:
> root/
>   index_html
>   foo/
>     acl_users/
>     bar/
>       Image
>
> I have a image which could only be view by users with a role named
> foobar, these users are in acl_users.
> If i access the image through the web a must authenticate myself for the
> first time, after that everything works well.
> But if i want to access the Image via <dtml-var Image> from the
> index_html in the root-folder a got no access.
> After searching at Zope.org i tested with <dtml-var
> "restrictedTraverse('foo/bar/Image')"> but this doesnt works.
> How do i authenticate myself in foo if i access the folder via dtml.

In your "Image" object, give the "Access Contents Information" to the role 
"Anonymous" (or whoever usually views index_html), but keep "View" forbidden 
for Anonymous (allowed only for "foobar" role owners).

This way, the var tag (which could have been called by Anonymous) will be 
able to "see" the object, and Zope will authenticate automatically, if this 
is necessary in order to view it.

For security reasons, your Image object will not even be "found", if the 
caller's role does not have the "Access Contents Information" permission. I 
find this a good idea and reason.

There is no difference whether you climb to "Image" using restrictedTraverse, 
the "with" tag, or directly. All these will have identical results.

If you want to avoid the separate permission settings (because you have a lot 
of Image objects you want to behave like that), either give "index_html" a 
proxy role that has the "Access Contents Information" permission on "Image" 
(or the whole "bar" folder), or use unrestrictedTraverse in index_html.

hth,
Danny