[Zope] Help (emergency) How to Undo last ZODB transaction when Zope

Shai Berger shai@aristocart.com
Thu, 02 Aug 2001 15:05:10 +0300


Joachim Werner wrote:
> 
> I can't see any security-related issues here. I mean, if you don't do
> anything against it (like having a packet-filter/firewall/proxy in front of
> the Zope server), any of the original ports will still be kind of accessible
> anyway. 

To close the ftp and webdav (I suppose this is what you mean), add
the -X flag, followed by -w<Web port> and/or -F <fast-cgi socket>,
to your Zope start-up script.

> Regardless whether you can override the access rule or not. How
> would you "protect" a site using siterules I'm not talking about Apache
> siterules, which can savely be used for protection I guess.
> 

Now, under the assumption that access rules are always in force, you
could do a lot of things, most obviously trying to prevent direct
access to some methods (in my experience, proxy roles can bring you
hours of anguish).

Under "Security" here I'm pulling not just mere access, but also 
pre-conditions for access. Suppressing the access rule might in
some cases violate assumptions of such, which could possibly lead
to many problems -- from simple errors to security breaches.

In my opinion, an access rule which is overridable from the request
is an invitation for trouble -- security-wise or otherwise.

Have fun,
	Shai.