[Zope3-dev] add.pt and security
Jim Fulton
jim@zope.com
Tue, 03 Sep 2002 12:32:58 -0400
R. David Murray wrote:
> Background: w3m has a known "bug" where it does not send basic
> auth info unless challenged. This turns out to be very useful
> for finding security holes in Zope <grin>.
>
> If I click on the 'add' button on the Z3 main screen, I get to view
> the add screen, but the selection menu is empty and at the bottom
> of the screen I have "User: Unauthenticated User". I checked the
> zcml that sets up that screen (which, by the way, I only found by
> grepping for a string I could see in the view source for the page
> that was likely to be unique and looking at the zcml in the directory
> that grep lead me to; finding where a given page you are looking
> at in z3 is declared seems to be a Hard Problem <frown>).
We should really make it a standard feature of templates for them
to, at least optionally, include a comment saying where they came
from. This comment should be automatically generated and should be
included in macros too.
> As far as I can see, that screen should be protected by the
> Zope.ManageContent permission, which by default is granted only
> to Manager. So unless I'm misunderstanding something fundamental,
> w3m should be getting a challenge when it tries to access that
> page, but as far as I can see it isn't.
This appears to be a bug, which I can reproduce.
Would you submit two collector entries, a bug report and
a feature request for including the above-mentioned comment?
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org