[Zope3-dev] add.pt and security

[R. David Murray]

Background: w3m has a known "bug" where it does not send basic
auth info unless challenged.  This turns out to be very useful
for finding security holes in Zope <grin>.

If I click on the 'add' button on the Z3 main screen, I get to view
the add screen, but the selection menu is empty and at the bottom
of the screen I have "User: Unauthenticated User".  I checked the
zcml that sets up that screen (which, by the way, I only found by
grepping for a string I could see in the view source for the page
that was likely to be unique and looking at the zcml in the directory
that grep lead me to; finding where a given page you are looking
at in z3 is declared seems to be a Hard Problem <frown>).
As far as I can see, that screen should be protected by the
Zope.ManageContent permission, which by default is granted only
to Manager.  So unless I'm misunderstanding something fundamental,
w3m should be getting a challenge when it tries to access that
page, but as far as I can see it isn't.

I tried setting ZOPE_WATCH_CHECKERS, but I could not find any of
'add.pt', 'index.html', or 'create' in the voluminous output, so
I'm not sure how to go about debugging this.  Suggestions welcome <grin>.

--RDM