[Zope] Re: [Zope-dev] possible security flaw? - and, request for a phone
conference.
conference.
Stuart 'Zen' Bishop
zen@cs.rmit.edu.au
Thu, 8 Jun 2000 18:41:37 +1000 (EST)
On Wed, 7 Jun 2000, Jon Franz wrote:
> Basically, if a user with manager privileges to a folder changes
> their
> password to be empty, then anyone (from permitted domains) can access the
> management screen for that folder Without Logging On... Zope assumes that
> you are the user without the password and treats you as if you have those
> rights.
This is a feature, but I don't know if or where it is documented besides
the source code (which is a bug if it isn't I guess). The blank password
feature is normally combined with the domain limitation feature to allow
connections from a given network to automatically attach with various
permissions (such as a trusted that pushes data into the ZODB - this
method avoids having to keep a password in plaintext around on your
filesystem).
--
Stuart Bishop Work: zen@cs.rmit.edu.au
Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au
Computer Science, RMIT University