[Zope] Choose propper view permission / How to build a secure Site? (long)

Peter Ehrenberg pe@dipe.de
18 Feb 2002 15:47:26 +0100


Dear Readers!

There is a (IMHO) subtile difference in respect to the view permission
between DTML documents and DTML methods (this is true at least for
Zope 2.5.0):

    If you insert into index_html the content of one DTML document and
    one DTML method, you need view permission for the method but not
    necessarily for the document.

On the other hand you don't need access-contents-information
permission for the method. (I don't know which operation on the method
require this permission)

Why?

Now the long description.

Imagine the following object tree:

   root
    |
    +-  myFolder
    |      |
    ~ ...  +- index_html=20
    ~      |
           +- mySubfolder1
           |      |
           |      +- myDocument
           |
           +- mySubfolder2
           |      |
           ~ ...  +- myDocument
           ~
           |
           +- mySubfolderN
           |      |
           |      +- myDocument
           |
           +- myMethod
           |
           ~ ...=20
           ~

There is the DTML method index_html. It's responsible (per
acquisition) to view the content of one of the myDocument documents
from one of the mySubFolder1..N folders. It also use myMethod. Both
myDocument and myMethod are inserted into index_html via
<dtml-var...>.

There are N DTML documents myDocument with includes some content each
in its own SubFolder. You can view one myDocument by request
http://myFolder/mySubfolderX with X one of 1 until N.=20

There is the DTML method myMethod which create some content based on
the properties of the current document.

So far so good. But now: How to set up strict access permissions? (In
the moment I'm only talking about permissions for read access to the
objects via whose URL --- a.k.a. "the third view".)

The requirements to the permissions are (this is what I want):

    1. index_html is viewable for anonymous.
   =20
    2. Only index_html is directly viewable. So
       http://myFolder/mySubfolder1 until http://myFolder/mySubfolderN
       are the only valid urls.

    3. From 2nd follows: all myDocument documents and the myMethod
       method must not be directly viewable but only by (or thru)=20
       index_html. So requests to http://myFolder/myMethod or
       http://myFolder/mySubfolderX/myDocument are not permitted.

I tried this:

     o remove view permission from myFolder and

     o set view permission explicit to index_html.

For my surprising this doesn't work but results into error at request
http://myFolder/mySubfolderX:

    Error Type: Unauthorized
    Error Value: You are not allowed to access myMethod in this context

I have to give view permission to myMethod for work around. However
now, myMethod can be directly viewed via its url which shouldn't.

My questions now are:

    1. Why it is as it is? I mean: It is a bug or feature?

    2. How to set up the objects properly, to fit the above
       requirements?

With Respect
Peter
--=20
Dipl.-Ing. Peter Ehrenberg                         Tel.: (040) 756604-40
Rotenh=E4user Stra=DFe 51                               Fax: (040) 756604=
-41
21109 Hamburg                                   Netz: http://www.dipe.de
Germany                                                mailto:pe@dipe.de