[Zope] Re: major problems placing authentication on an extranet
fg at nuxeo.com
Tue Feb 14 11:01:53 EST 2006
Michael Vartanyan wrote:
> In the very beginning of my Zope career, I once "shot myself in the
> foot" with a very stupid thing... I kept it to myself then but if we are
> talking about Zope security settings and usability of the ZMI at the
> same time, perhaps it is an ideal place to raise this issue.
> If you use the famous manage_access page with all the checkboxes to set
> permissions on an object, it then calls manage_changePermissions to
> using POST method to apply your settings. The result is that
> http://your_object_url/manage_changePermissions (without any parameters)
> stays in your browser visited url history. Now imagine what happens if
> you click this url by mistake being logged as someone with "Change
> permissions" permission.
> I guess changing the form method to GET is not going to be liked by
> browsers that put additional restrictions on URL length. So I would
> propose to introduce a basic request sanity check in the
> manage_changePermissions itself. I cannot think of any use for resetting
> all permissions and acquisition for everyone, so the easiest way to do
> that is to simply check that at least something exists in the form:
> def manage_changePermissions(self, REQUEST):
> """Change all permissions settings, called by management screen.
> >> if len(REQUEST.form)<2: raise ...
> self._isBeingUsedAsAMethod(REQUEST, 0)
> fails = 
> or something like that.
Actually the proper way to do it, and for exactly the reasons you outlined
above, is to always do a redirect to a "result page" url after a POST that
has side effects. It's even mandated by the HTTP/HTML specs.
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope