[Zope-CMF] Security question ...

Jean-Francois.Doyon at CCRS.NRCan.gc.ca Jean-Francois.Doyon at CCRS.NRCan.gc.ca
Mon Apr 19 14:49:00 EDT 2004


How do I prevent access to editing templates/logic within the portal_skins ?

I have a bunch of filesystem base PT's, and their respective
FSDirectoryViews, much like what the default CMF provides.

Right now, someone can just type something like <url to
document>/document_edit_form and see it ... which is of course very very
bad. This works even when anonymous.

I tried changing the security settings on the folder, but it still works ! I
removed anonymous access to View, List Folder contents, Access Contents
Information, Access future portal content, Access inactive portal content,
and removed inheritance of security settings on those items.

Also it looks like FS based PT's don't have security settings of their own
so I can't do it there ... Same problem with the skin folder containing
python scripts.

Of course eventually the internal machinery stops unauthorized actions
through the security wrappers on the classes and methods, but I'd feel MUCH
more comfortable if I could know that some anonymous person could view
source to documents and so on !!

Any help would be greatly appreciated !


More information about the Zope-CMF mailing list