[Zope-dev] Security/Acquisition Bug? (take two)

Charlie Wilkinson cwilkins@boinklabs.com
Fri, 10 Nov 2000 18:44:33 -0500 

I had posted about this previously, but no one has tackled this one,
it seems to be a pretty serious issue, plus I've done a *lot* of poking
around and learned a few things since I first reported it.  What I have
*not* found (or been told) is that the below described behavior is normal.

First a simple exercise for those who would like to avoid my laborious
novice Zoper description and just ferret out the likely bug:

Create a fresh CVS copy of Zope on your *nix box.  Build it (python
wo_pcgi.py), configure 'start' with the ports of your choosing, set a
superuser password, start Zope and try to visit the /index_html page.

What I'm getting at that point is a BASICAUTH login box.  One has to
explicitly enable anonymous permissions on the index_html page in order
to view it without logging in.  I've read through all the security
model discussion I could find, but saw no discussion of this issue.
If somehow this behavior is intentional, I would greatly appreciate a clue
to that effect.  (Some response either way would be nice, actually...)

Based on my recent flailings with LoginManager and finally, stock
acl_users in Zope v2.2.cvs, it seems there this problem relates to the
"scope" of acl_users and/or its parent folder not including the objects
within.  The security settings of the parent folder are apparently not
regarded in determining access to objects within.  Instead, acl_users is
only impacting its sibling objects (and presumably their child objects).

Apologies if I'm making the wrong noises in the wrong place in the
wrong way.  Any help or pointers welcome.

-cw-

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            Charlie Wilkinson - cwilkins@boinklabs.com - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
    Visit the Radio For Peace International Website: http://www.rfpi.org/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            CLOBBER INTERNET SPAM:  See!! <http://spam.abuse.net/>        
                                   Join!! <http://www.cauce.org/>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
	-- Ralph Nader on David Letterman (9/28/00)