[Zope] major problems placing authentication on an extranet site-security flaw?

Andreas Pakulat apaku at gmx.de
Wed Feb 8 17:47:01 EST 2006

On 08.02.06 21:38:26, michael nt milne wrote:
> Of course I did. Why on earth would you be able to view a front page of a
> site when it is labelled as 'authenticated' and also as 'manager' ? just by
> pressing cancel or return a few times.

I just checked that with a plain Zope's index_html. I cannot view
localhost:8080/ when I change the security setting of index_html to
allow View only for authenticated. However I can view it when I
authenticate with the initial user information.

Now the same thing with a plone site, removed the view-right from
front_page I get a screen telling me to authenticate. Not the "box"
because Plone normally uses cookie-auth, you should be able to change
that in the UserFolder. If I use the initial-user with the
cookie-based-form I can see the plone site.

Then I removed the View right from the plone-site-object for anonymous
and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box,
giving it the initial-user-info it lets me view the front_page. 

> Big security flaw I'm sorry.

I wonder why you are the only one experiencing this... Maybe because the
error is on your side (or sits in front of your monitor)? And not Zope.

> Also
> superuser passwords don't work when security is set up and I've tried this
> on a couple of set-ups. And this is apart from the usability.

What do you mean with superuser? There is no superuser, you have an
initial user but that's not a user you'd normally use to login. You add
new Users in the user-folder.

And what usability problem are you now talking about?


Reply hazy, ask again later.

More information about the Zope mailing list