[Zope] Help (emergency) How to Undo last ZODB transaction when Zope

Shai Berger shai@aristocart.com
Thu, 02 Aug 2001 11:41:06 +0300


Chris wrote,
> 
> Try:
> 
> http://yoursite/_SUPPRESS_ACCESSRULE/manage
> 
And I was shocked and dismayed to find out that this actually works.
It seems like a huge potential security breach for the unwary, since
it is available for any attacker. Granted, access rules are not really
intended for security, but it is very easy to assume that they always work,
and make decisions with security implications based on that assumption.

I read digests, so I only saw Gerd's request for help now; I would expect
the right answer to be what the AccessRule product says:
"""
If an Access Rule is broken, and is preventing normal access, it can be disabled
by restarting Zope with environment variable SUPPRESS_ACCESSRULE set.
"""
Because this is only available to people who can manage Zope anyway.

(looking for the exact variable name, I ran into the URL modification trick
mentioned under "History"... so I hereby RTFM myself. Well, not really; I have
read the FM before, and it wasn't there!)

Have fun,
	Shai.