[Zope] newbie questions about security
danny shevitz
danny_shevitz@yahoo.com
Thu, 3 Feb 2000 17:32:40 -0800 (PST)
I'm trying to understand various aspects of permissions. I wanted to
encapsulate my whole web site, so beneath / (root) I put a /Home
folder.
I would like only the contents of /Home to be viewable. I first set the
protection of / to be not viewable by anonymous but then any time I try
to do anything I have to enter a password. I worked around this by
making the /index_html not viewable by anonymous, but leaving /Home
viewable. Is this the way I am supposed to do it, at the document level
as opposed to the folder level?
Next I decided to try and squirrel away all my images into a /Home/img
folder. I don't want anything in this folder to be directly viewable.
So I created an index_html document (more on this later) and made it
not viewable. Fine, anonymous can't read it, so that works, but I have
to make the images viewable. If I make /Home/img not viewable (don't
acquire permissions) then the whole directory requires a password any
time I access an image. So I let /Home/img acquire permissions, and try
and change the permissions at the image level. Now the problem is that
if I make the images directly viewable, I can access them from /Home
which is what I want, but I can also get to them explicitly via
/Home/img/ImageName which I don't want. So I can get the image even
though /Home/img is password protected. What is the correct way to have
an image folder to be totally non-viewable but still accessible from
another folder?
A weird/cool feature I discovered which may be interesting to other
newbies, is that acquisition acquires the protection of the parent, not
the child. At least I found this. I made my /Home/img folder not
viewable by anonymous, but didn't put an index_html document in it.
Surprisingly, as anonymous I could view /Home/img. My guess is that the
index_html document was inherited from /Home which was viewable so the
permissions of /Home applied, rather than the permissions of /Home/img.
Danny
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com