[Zope] Security question concerning DTML Method
Dieter Maurer
dieter@handshake.de
Thu, 18 Apr 2002 23:41:19 +0200
oliver.erlewein@sqs.de writes:
> I give somebody the right to add "Documents, Images and Files" and don't give him the right to "Change DTML Method". Then I login as that user and I get DTML Method in the drop down list(already peculiar) and when I select it I can create a DTML Method AND upload a file to it!!!! Although when I try to change the DTML Method then I get a login window asking me to login (That's OK). So I can't change anything afterwards but I can upload what I want.
>
> This is somehow a quite drastic security breach in my humble opinion. Maybe it would help splitting the Add Right in three parts?!
I do not see a security breach:
Everything happens as the chosen permission terms suggest.
You can add Methods (as "Documents") but you cannot change them.
If you need fined grained security, make your own subclasses
and protect them as you feel they should be protected.
Dieter