[Zope] Re: restricting permissions for direct access only
bluepaul at earthlink.net
Thu Feb 16 00:43:36 EST 2006
Tres Seaver wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Michael Shulman wrote:
>>On 2/15/06, Chris Withers <chris at simplistix.co.uk> wrote:
>>>>But... it's still not working for my real site. I think the issue is
>>>>this. If script1 has proxy role Manager, and script2 has view
>>>>permissions set only for Manager, then script1 can call script2, no
>>>>problem. But if script1 instead calls script3, which then calls
>>>>script2, it doesn't work unless script3 *also* has proxy role Manager.
>>>Yes, this was a deliberate change made a few major releases ago. I've
>>>never mich liked it myself for exactly the reason you describe. I wonder
>>>if anyone who knows could point out why this change was made, I'm sure
>>>the reasons were good...
>>Even if the reasons were good, it would be nice to have an option to
>>turn it on or off, even if the default is off. At the very least, it
>>would be nice if this fact were documented. (Is it somewhere and I
>>just missed it?) It surprised me very much, and it would have
>>surprised and frustrated me even more if I'd written a site which
>>worked and then later on decided to split off the functionality of
>>some private script into a secondary one, unsuspecting that it would
>>break the proxy roles setup.
>The prior behavior (allowing users to access protected resources "above"
>the domain of their user folders) was a security hole caused by a bug,
>and was never documented as allowable: correcting it was a matter for a
>rather urgent fix, as it broke the explicitly-documented model.
>The fact that folks wrote applications which relied on the hole is
>unfortunate; breaking them is better than leaving the sites built
>around the defined model vulnerable to abuse.
I just disagree. If theres a paranoia with the standard set of roles
then prevent *those* from upward acquisition. But if I add a role
*specifically* so it can access a common code pool, say like
probably distinquished by data adapter access to various companies ...
than whats the downside? The upside is that I dont have to copy one
code improvement across n number of sub-folder instances.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Zope