[Zope] Re: htaccess with zope/plone ?
michael nt milne
michael.milne at gmail.com
Wed Feb 8 07:39:05 EST 2006
ok, I've gone into the security tab in the site root and set 'view' to
'authenticated' whilst de-selecting aquire. However, using the password that
gets me into the overall 8080/manage doesn't work. Also the front page still
comes up if you cancel the login box and the page displays without css. This
shouldn't happen with view set to authenticated.
On 2/8/06, Jens Vagelpohl <jens at dataflake.org> wrote:
> On 7 Feb 2006, at 23:58, michael nt milne wrote:
> > Also, just to say that I did a test on only letting authenticated
> > and managers view the root page of the site over ssl. If you just
> > cancelled the login box or closed it, the whole front page was
> > displayed without any css but you could still get all the content.
> > I've had this quite a bit before so that's why I'm looking into
> > Apache authentication. I just don't think that Zope authentication
> > is secure.
> As someone else has already mentioned, there is zero difference when
> it comes to "how secure" the login procedure is. It doesn't matter
> how you set up authentication if you haven't applied the proper
> permission settings in Zope to prevent showing that front page
> content you mentioned earlier. You need to get a better idea how to
> use the built-in Zope security mechanisms to achieve the security
> settings you would like to see.
> Using both Apache and Zope authentication will bring mostly pain.
> Your strategy is wrong. Get a better understanding of what Zope can
> do in that regard and then decide.
> Zope maillist - Zope at zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-dev )
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zope