[Zope] How safe is "view management screens"?
Michel Pelletier
michel@digicool.com
Sun, 20 Feb 2000 20:06:05 -0800
Lalo Martins wrote:
>
> Since one of my sites doesn't use any password-protected
> database connection, or anything else that I can't let my users
> see, and since the site is primarily directed at the Free
> Software community, I'm considering a way of allowing users to
> view all my source code.
>
> Just adding a ``view source'' method may not cut it, because
> cross-method calls would obscure a lot of the thing.
>
> I was thinking that perhaps the most easy and powerful way
> would be giving ``View management screens'' to Anonymous.
> Assuming I don't give them any add/change/delete permissions,
> that should be safe enought, no? Or am I missing something?
No, it SHOULD be safe. Note that no one has done a full security audit
of Zope. But, for the purposes of delegating managment, the ability to
'view' a managment screen and the ability to change something are
allways different permissions. For example, members of zope.org can
view the managment interface, but not necesarily do anything we don't
want them to.
-Michel