[Zope] Re: newbie questions about security

Chris McDonough chrism@digicool.com
Fri, 4 Feb 2000 15:51:29 -0500


It's not possible to do this with Zope permissions (or any other
HTTP-based package permissions, AFAIK).  In Zope, either a user can view
the image or they can't based on their role memberships.  Zope has no
concept of where in the tree the user "is" when he calls an image.  This
is reasonable because an image isn't associated in any way with an HTML
file in a request.  

When a user calls a for page in their browser, the HTML representing a
page gets fed into the browser, and the browser calls the images up
one-by-one independent of the HTML.  A new session is established for
each image brought up.  Each session must either authenticate itself
anew to the server or it must be allowed to access files on the web
server without requiring credentials.

Therefore, you have no way of determining whether the request to an
image is associated with an earlier call to the HTML page or not (unless
you use some sort of heuristics to determine timing between hits or
something, which we don't).

Am I misunderstanding the question?


> -----Original Message-----
> From: danny shevitz [mailto:danny_shevitz@yahoo.com]
> Sent: Friday, February 04, 2000 2:11 PM
> To: zope
> Subject: [Zope] Re: newbie questions about security
> 
> 
> Thanks for the response. You were correct about the 
> permission of /Root
> versus /Home. After making /Root hidden to Anonymouse I 
> couldn't access
> /Home because standard_html_header and footer were being 
> acquired. This
> again shows that permissions are determined by the permission of the
> parent in acquisition, not the child.
> 
> I still have a question about setting up an /Home/img folder for
> images.
> I want to access the images from /Home but to not have them 
> be directly
> viewable via a URL, e.g. /Home/img/image1. Is this possible?
> 
> So far any combination of permissions that I have been able to come up
> with between /Home/img, /Home/img/image1, and /Home/img/index_html has
> the side effect that if /Home can access the image, so can the
> Anonymous URL /Home/img/image1. I can independently set the permission
> of /Home/img, just not the subimages.
> 
> thanks,
> Danny
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>