[Zope-dev] Security Question

[Andre Schubert]

Danny William Adair schrieb:
> 
> On Saturday 24 November 2001 01:40, Andre Schubert wrote:
> > root/
> >   index_html
> >   foo/
> >     acl_users/
> >     bar/
> >       Image
> >
> > I have a image which could only be view by users with a role named
> > foobar, these users are in acl_users.
> > If i access the image through the web a must authenticate myself for the
> > first time, after that everything works well.
> > But if i want to access the Image via <dtml-var Image> from the
> > index_html in the root-folder a got no access.
> > After searching at Zope.org i tested with <dtml-var
> > "restrictedTraverse('foo/bar/Image')"> but this doesnt works.
> > How do i authenticate myself in foo if i access the folder via dtml.
> 
> In your "Image" object, give the "Access Contents Information" to the role
> "Anonymous" (or whoever usually views index_html), but keep "View" forbidden
> for Anonymous (allowed only for "foobar" role owners).
So it is.
> 
> This way, the var tag (which could have been called by Anonymous) will be
> able to "see" the object, and Zope will authenticate automatically, if this
> is necessary in order to view it.
This doesn't work, because the user it not known in root where the
index_html is,
the user is known in the folder view.

> 
> For security reasons, your Image object will not even be "found", if the
> caller's role does not have the "Access Contents Information" permission. I
> find this a good idea and reason.
> 
> There is no difference whether you climb to "Image" using restrictedTraverse,
> the "with" tag, or directly. All these will have identical results.
> 
> If you want to avoid the separate permission settings (because you have a lot
> of Image objects you want to behave like that), either give "index_html" a
> proxy role that has the "Access Contents Information" permission on "Image"
> (or the whole "bar" folder), or use unrestrictedTraverse in index_html.
> 
> hth,
> Danny

as