[Zope] major problems placing authentication on an extranet site-security flaw?

Tino Wildenhain tino at wildenhain.de
Wed Feb 8 17:01:08 EST 2006

michael nt milne schrieb:
> Of course I did. Why on earth would you be able to view a front page of
> a site when it is labelled as 'authenticated' and also as 'manager' ?
> just by pressing cancel or return a few times. Big security flaw I'm
> sorry. Also superuser passwords don't work when security is set up and
> I've tried this on a couple of set-ups. And this is apart from the
> usability.

I dont get what you tried... many of us are doing it and it just
works. Much easier as with apache I say. Apropos getting and trying...
could you try to set your mail-client to text only and quote like
all others do? This would make it easier to read what you type :-)

You only remove [ ] Acquire for View and assign it to
Authenticated or better to whatever role your users should belong.

Canceling Authentication requester will not show you contents
but the standard_error_page - unless you have a broken useragent
(e.g. Internetexplorer) with horrible cache settings and did
view the authenticated page before.

Tino Wildenhain

More information about the Zope mailing list