[Zope-CMF] Security behavior question

Doyon, Jean-Francois Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Fri, 14 Dec 2001 13:58:29 -0500


Hello,

I just noticed a security behavior that surprised me.

Let's say I have an object I access by the URL:

http://localhost/path/to/my/object

Now let's say that object is marked "private" ...

If I try to access the URL above, I'll get redirected to the Log In =
page ...
which is fine ...

If I try to access it with a /view , same thing happens, also fine ...

If howvever I try to access it using the component used to view (i.e. =
the
"action" item of the "view" action) it WORKS! An anonymous user just =
managed
to view a private item!

This is the default behavior, I haven't touched anything.

Is this right? How do I get around it? Do I have to build the security =
check
into the DTML used to view the object? That seems starnge, shouldn't =
the
security model "climb up the tree" and make sure the user (in this case
anonymous) has the rights not onlt to the DTML template used to view =
the
object, but the object itself?

Any help would be most appreciated,

Thanks,

Jean-Fran=E7ois Doyon
Internet Service Development and Systems Support
GeoAccess Division
Canadian Center for Remote Sensing
Natural Resources Canada
http://atlas.gc.ca
Phone: (613) 992-4902
Fax: (613) 947-2410