[Zope] Re: Blocking Sibling inheritance

Chris Withers chris at simplistix.co.uk
Thu Mar 3 10:08:57 EST 2005


Greg Fischer wrote:

> I have folder 1:  /site/dev/customer1/folder/page
> And folder 1:    /site/dev/customer2/folder1/folder2/page
> 
> Eash customer level folder has acl_users with different/separate
> accounts.  The security at the customer level folder is set to not
> acquire and no anonymous access.  Now here is the problem I see, you
> type in your URL:
> someplace.com/site/dev/customer1/folder/page
> 
> You are asked to authenticate.  Then you change your url after
> authentication to:
> somplace.com/site/dev/customer1/folder/customer2/folder1/folder1/page
> 
> And you get right in with no authentication!  That should not be allowable.

Does that work if you simplify it to:
somplace.com/site/dev/customer1/customer2/folder1/folder2/page
?

Are you sure 'page' is the page from custoemr 2 and not the one from 
customer 1?

Well, some possibilities:

- The user you logged in as comes from a "higher up" user folder, in 
which case they'd be able to access either customer

- there's a serious security hole in zope ;-)

If you can reproduce it and are sure everthing is as it should be, boil 
it down to the simplest possible case that reproduces the  bug and chuck 
it into the collector at:

http://www.zope.org/Collectors/Zope

...'cos it'll need urgent attention!

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope mailing list