[Zope] manage permissions

dave@kovach.com dave@kovach.com
11 May 2001 16:36:43 -0700


Thanks for the tip on the product. Will look into it.

I need to dive into the security issues, but I have moved alot of my stuff to a hosting environment that definately has more experience with this stuff. That way I can focus on developing more and admin'ing less.

But, the security seems alittle lax with Zope. With the flip of a checkbox - anyone can then get into my backend. Not good. And to do it on error is I think even worse. Would never fly in corporate land.

But Zope rocks none the less.

Thanks

David


On Fri, 11 May 2001, Flynt wrote:

> 
> Charlie Blanchard wrote:
> > 
> > On Fri, May 11, 2001 at 01:58:50PM -0600, Casey Duncan wrote:
> > [snippity snip snip]
> > >
> > > It sounds like your Anonymous role has the View management
> > > screen permission set somewhere (like at the root). Check it in
> > > the security tab of your root folder.
> > >
> > After reading this post I felt the need to check my server to
> > double check my settings and wonder if there is some source of
> > info about some of the permissions that I'm overlooking.
> > For instance, just what is it that allowing "Access contents
> > information" permits or blocks? And what baseline permissions
> > should be enabled/disabled on a 'live production' server as a
> > matter of good practice? Any info that someone can provide or
> > point to would be very welcome indeed...
> > 
> > tia,
> > --
> 
> Hi Charlie, hi Dave
> 
> There is product by Tres Seavers, which at least helps, to get a better
> look into a Zope installations actual security settings. I just mention
> it, in case you don't know:
> 
> http://www.zope.org/Members/tseaver/ZopeSecurityAudit
> 
> Maybe, this is of some help for you. It was for me.
> 
> Flynt