[Zope3-dev] security problems with database adapters (second
edition)
Dmitry Vasiliev
lists at hlabs.spb.ru
Wed Aug 31 09:57:39 EDT 2005
Velko Ivanov wrote:
>
> Dmitry Vasiliev wrote:
>> Maybe we need always check security map at the root folder?
>>
>
> I don't believe this is the solution. Altrough it will solve my example,
> it wouldn't help in other scenarios.
> I would eventually make ZopeConnection and ZopeCursor locatable, if they
> aren't already, and assign the database adapter as the parent of the
> connection and the connection to the cursor at the time of their creation.
> Actually I'm going to patch it like that right away.
ZopeConnection and ZopeCursor not only an objects without an location, see for
example '/++etc++process' so I think it is the UI grant tool problem. I'll post
an issue to the collector.
> One last question, to clear things a bit for me, as I don't have a Zope3
> copy here to try -
> Imagine the user accesses some python class by the means of submiting a
> form and that class needs to do some work with the database, so it
> obtains a database connection, creates a cursor and executes some
> queries. In this case, will the class access the connection with the
> user's privileges, or is it trusted ?
> If it is trusted, my problem here is not of so big importance, but if
> not, I imagine zope.app.rdb needs some urgent updates.
I don't believe that I'm currently fully understand whole Z3's security system,
:-) but I think you can manage access rights through 'permission' attribute of
the form's ZCML directive. For instance in one of my projects there is a pages
which use a database connection with 'zope.Public' and 'zope.ManageContent'
permissions.
--
Dmitry Vasiliev (dima at hlabs.spb.ru)
http://hlabs.spb.ru
More information about the Zope3-dev
mailing list