[Zope] Newbie Security Query

Kevin Dangoor kid@kendermedia.com
Mon, 7 Feb 2000 11:02:32 -0500


----- Original Message -----
From: "Chris Withers" <chrisw@nipltd.com>
To: "Zope Mailing List" <zope@zope.org>
Sent: Monday, February 07, 2000 10:30 AM
Subject: [Zope] Newbie Security Query


> If you go to http://www.zope.org/title_or_id you get the result of the
> title_or_id method. The same is true of the manage method and the REQUEST
> method. Me being paranoid, this makes me wonder whether there are any
'bad'
> methods that could be executed in this way, without any security
authorization?

There's nothing *very* bad that can be executed without permission.
"objectIds" is questionable.

> Again, being paranoid, how would you got about turning off the title_or_id
or
> REQUEST methods, or at least requiring authorisation to use them? (While
of
> course leaving it possible for DTML methods and the like within the site
to call
> them)

I don't know that there is any way to do so. I don't think the security
machinery differentiates between things called from the web directly and
called from DTML (though it is only through my observations that I say this,
I haven't looked at that part of the code).

> Finally, if you had a DTML document, method or image, etc, called
title_or_id or
> manage, how would you go about getting the one you want, either the
document or
> the result of calling the method?

Hmmm... I don't think I'd be brave enough to name something "manage" :)

Kevin