[Zope] Obscure security?
Oliver Bleutgen
myzope@gmx.net
Thu, 22 Nov 2001 13:30:11 +0100
Ragnar Beer wrote:
> Howdy!
>
> I spent some time searching the documentation for an explanation of the
> "Access_contents_information" permission but didn't find anything. I
> think this is vital information for any Zope admin and should be easy to
> find. How can I set up permissions when I can't find out exactly what
> permissions I'm actually granting?
>
> I'm (once again) in the situation where an authenticated user cannot
> access an object unless the "Anonymous" role is given the permission to
> "Access_contents_information" (the role of the authenticated user has
> that permission). This reminds me of the old non-root Squisdot bug, but
> I can't solve it by upgrading Zope this time, because I already
> installed 2.4.3. On the other hand I can't find out what kind of holes
> I'm opening by giving this permission to "Anonymous".
>
> What can I do?
You can
find -name "*.py" -exec grep -q 'Access contents information' \{\} \; -print
./AccessControl/Permissions.py
./HelpSys/HelpSys.py
./HelpSys/HelpTopic.py
./OFS/Cache.py
./OFS/ObjectManager.py
./OFS/PropertyManager.py
./OFS/PropertySheets.py
./OFS/ZDOM.py
./Products/OFSP/help/ObjectManager.py
./Products/OFSP/help/PropertyManager.py
./Products/OFSP/help/PropertySheet.py
./ZClasses/Property.py
./webdav/Resource.py
(this is zope 2.3.3)
The relevant files should be everything under OFS/
esp. ObjectManager.py And Property*.py
and the zope help->API Documentation which contains
help for the above mentioned classes (including permissions).
cheers,
olver