[Zope] Zope Security Problem
Martijn Pieters
mj@antraciet.nl
Mon, 30 Aug 1999 09:53:39 +0200
At 22:27 29/08/99 , Kevin Dangoor wrote:
>So, anyone can look at the content of a Z SQL Method or a DTML Method (and
>maybe document). Is it possible to look at any arbitrary property? I've been
>working under the assumption that there was no way for someone to view a
>property unless you give them access via a method or the management
>screens...
As I understand it, properties are not objects, and are therefor not
traversable with URLs. They can only be referenced from within Zope, so
they are, as far as I can see, safe.
REQUEST for example is an object, so you can access it:
http://www.zope.org/REQUEST
Zope 2.0 gives you a nicer format:
http://www.zope.org:18200/REQUEST
This is very handy for debugging purposes.
RESPONSE has not been yet created at the time of traversal, so that will
give a not found error.
--
Martijn Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| Tel: +31-35-7502100 Fax: +31-35-7502111
| mailto:mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
------------------------------------------