[Zope] Managing security of DTML manage_changeProperties and DTML API

Milos Prudek milos.prudek@tiscali.cz
Wed, 06 Mar 2002 15:02:58 +0100


Is it insecure to allow Manage properties to Anonymous?

My site does not allow Anonymous to Access management screens, Add DTML 
documents, DTML Methods and Python scripts. So there is no way to slip 
in executable content.

It does allow Authenticated users to create documents, but in ZClass 
form, and ZClass instances only have properties so they should not be 
executable.

But it gives Manage properties to Anonymous. Because for some ZClass 
documents the site records number of readers. So the ZClass' index_html 
has propertysheets.data.manage_changeProperties(readers=readers+1)).

Is it possible to call DTML API through a URL? Like 
http://www.site.com/folder/instance1/propertysheets/data/manage_changeProperties?readers=0 
If it is, I'm hosed :-)

Would it be more secure to disallow Manage properties to Anonymous, 
remove the manage_changeProperties line from ZClass' index_html, put it 
in a single line DTML_Method and give that DTML_Method a Manager Proxy 
role? (I'd prefer to not give Manager proxy role to ZClass' index_html)

-- 
Milos Prudek