[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Michael Vartanyan pycry at doli.biz
Tue Feb 14 17:49:12 EST 2006


I agree. A little bit of a problem is that both Zope 2 Book and the ZMI 
do not seem to agree. I guess was/is not the practice that Zope 2 
developers endorsed/followed. But "Zope2 is beyond help" (C) Chris M., 
(taken out of context by me :-))


Florent Guillaume wrote:

>
>
> Michael Vartanyan wrote:
>
>>
>> I guess changing the form method to GET is not going to be liked by 
>> browsers that put additional restrictions on URL length. So I would 
>> propose to introduce a basic request sanity check in the 
>> manage_changePermissions itself. I cannot think of any use for 
>> resetting all permissions and acquisition for everyone, so the 
>> easiest way to do that is to simply check that at least something 
>> exists in the form:
>
>
> Actually the proper way to do it, and for exactly the reasons you 
> outlined above, is to always do a redirect to a "result page" url 
> after a POST that has side effects. It's even mandated by the 
> HTTP/HTML specs.
>
> Florent
>
>



More information about the Zope mailing list