[Zope] Bug in object security?

James W. Howe jwh@allencreek.com
Tue, 22 Feb 2000 14:56:18 -0500


I've encountered a strange behavior with the Zope security mechanism which 
strikes me as a bug.  Here is what I've done:

1. Create a folder in root named 'AccessTest'
2. Create a user folder in AccessTest
3. Define a role for AccessTest called 'Publisher'
4. Create a user in the acl_users directory and grant the user 'Publisher' 
access
5. From the AccessTest security tab, disable 'Access contents information' 
for anyone except the manager.
6. From the AccessTest security tab, enable 'View management screens' for 
Manager and Publisher.

 From a fresh browser (no previous authentication), attempt to access the 
management interface for AccessTest (i.e. 
http://foo.com:8080/AccessTest/manage).  Log in as the 'Publisher' 
user.  The screen displaying the contents of the AccessFolder will be 
displayed.  However, this is where I think a mistake has been made.

In ObjectManager, the 'View management screens' has been associated with 
manage_main and manage_menu.  Similarly, ObjectManager defines the 'Access 
contents information' for the methods objectIds, objectValues and 
objectItems.  When I disable 'Access contents information' for my Publisher 
role, it would seem that users with this role should not be able to access 
these methods.  However, the manage_main dtml code which defines the 
contents view of the management interface makes use of these methods.  When 
the manage_main dtml is rendered, why doesn't Zope prompt for 
authentication when manage_main attempts to access objectItems, for example?

I'm sure there is a very reasonable explanation, but it strikes me as odd.

Thanks.

James W. Howe				mailto:jwh@allencreek.com
Allen Creek Software, Inc.		pgpkey: http://ic.net/~jwh/pgpkey.html		
Ann Arbor, MI  48103