[Zope] permissions broken?

Courrier xavier.damay@netcourrier.com
Fri, 9 Nov 2001 15:11:56 +0100


This is a multi-part message in MIME format.

------=_NextPart_000_0010_01C16930.DF3BCEF0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

hello,

I've tried what you said 

when "standard_html_header" and "standard_html_footer" are owned by "dev",

it work with "Access contents information" permission set for manager role.

I think, it's because of aquisition of DTML Method owned by root.

Am i right ?

I new to Zope, and I want to learn a lot about security. 

If you have exercices like this one, i appreciate it.

(i need also grammar correction, isn't it ;)

Xavier



Today I tried on my Zope Zope 2.3.2 (source release, python 1.5.2, linux2)

what I did a hundred times succesfully before:

1. created a folder "production"

2. set not to acquire the "View" permission for this folder

3. created a role "developer"

4. created a user "dev" with role developer

5. changed security settings so that developers can "View"

6. created two dtml-methods "standard_html_header" and

"standad_html_footer"

inside the new folder

7. logged in as dev and got the error message:

Unauthorized

You are not authorized to access standard_html_header

Strange enough, this only occurs with standard_html_header and

standard_html_footer.

I also created a dtml-method called index_html and could see it.




------=_NextPart_000_0010_01C16930.DF3BCEF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD>
<BODY><FONT face=3DArial size=3D2><FONT size=3D2>
<P align=3Dleft>hello,</P>
<P align=3Dleft>I've tried what you said </P>
<P align=3Dleft>when "standard_html_header" and "standard_html_footer" =
are owned=20
by "dev",</P>
<P align=3Dleft>it work with "Access contents information" permission =
set for=20
manager role.</P>
<P align=3Dleft>I think, it's because of aquisition of DTML Method owned =
by=20
root.</P>
<P align=3Dleft>Am i right ?</P>
<P align=3Dleft>I new to Zope, and I want to learn a lot about security. =
</P>
<P align=3Dleft>If you have exercices like this one, i appreciate =
it.</P>
<P align=3Dleft>(i need also grammar correction, isn't it ;)</P>
<P align=3Dleft>Xavier</P>
<P align=3Dleft>&nbsp;</P>
<P align=3Dleft>Today I tried on my Zope Zope 2.3.2 (source release, =
python 1.5.2,=20
linux2)</P>
<P align=3Dleft>what I did a hundred times succesfully before:</P>
<P align=3Dleft>1. created a folder "production"</P>
<P align=3Dleft>2. set not to acquire the "View" permission for this =
folder</P>
<P align=3Dleft>3. created a role "developer"</P>
<P align=3Dleft>4. created a user "dev" with role developer</P>
<P align=3Dleft>5. changed security settings so that developers can =
"View"</P>
<P align=3Dleft>6. created two dtml-methods "standard_html_header" =
and</P>
<P align=3Dleft>"standad_html_footer"</P>
<P align=3Dleft>inside the new folder</P>
<P align=3Dleft>7. logged in as dev and got the error message:</P>
<P align=3Dleft>Unauthorized</P>
<P align=3Dleft>You are not authorized to access =
standard_html_header</P>
<P align=3Dleft>Strange enough, this only occurs with =
standard_html_header and</P>
<P align=3Dleft>standard_html_footer.</P>
<P align=3Dleft>I also created a dtml-method called index_html and could =
see=20
it.</P>
<P align=3Dleft>&nbsp;</P></FONT></FONT></BODY></HTML>

------=_NextPart_000_0010_01C16930.DF3BCEF0--