[Zope] Re: restricting permissions for direct access only

Tres Seaver tseaver at palladion.com
Wed Feb 15 23:49:33 EST 2006

Hash: SHA1

Michael Shulman wrote:
> On 2/15/06, Chris Withers <chris at simplistix.co.uk> wrote:
>>>But... it's still not working for my real site.  I think the issue is
>>>this.  If script1 has proxy role Manager, and script2 has view
>>>permissions set only for Manager, then script1 can call script2, no
>>>problem.  But if script1 instead calls script3, which then calls
>>>script2, it doesn't work unless script3 *also* has proxy role Manager.
>>Yes, this was a deliberate change made a few major releases ago. I've
>>never mich liked it myself for exactly the reason you describe. I wonder
>>if anyone who knows could point out why this change was made, I'm sure
>>the reasons were good...
> Even if the reasons were good, it would be nice to have an option to
> turn it on or off, even if the default is off.  At the very least, it
> would be nice if this fact were documented.  (Is it somewhere and I
> just missed it?)  It surprised me very much, and it would have
> surprised and frustrated me even more if I'd written a site which
> worked and then later on decided to split off the functionality of
> some private script into a secondary one, unsuspecting that it would
> break the proxy roles setup.

The prior behavior (allowing users to access protected resources "above"
the domain of their user folders) was a security hole caused by a bug,
and was never documented as allowable:  correcting it was a matter for a
rather urgent fix, as it broke the explicitly-documented model.

The fact that folks wrote applications which relied on the hole is
unfortunate;  breaking them is better than leaving the sites built
around the defined model vulnerable to abuse.

- --
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the Zope mailing list