[Zope] set accessrule
jbr@FIZ-Karlsruhe.DE
jbr@FIZ-Karlsruhe.DE
Fri, 22 Mar 2002 00:38:59 +0100 (MET)
Hello,
summary of set access rule with zope 2.5.0
1.) for a folder testfolder I have set "Set Access Rule" to python script accessHB
to limit access
2.) as Chris McDonough has shown (thanks !) accessHB is working like:
> From chrism@zope.com Thu Mar 21 19:21 MET 2002
> Subject: Re: [Zope] set accessrule
> Date: Thu, 21 Mar 2002 13:26:28 -0500
>
> Hi,
>
> I wouldn't bother to try to pass in REQUEST (the caller for access rules
> does not pass any arguments in to the script). Instead, get the REQUEST
> from context ala context.REQUEST. I think the test tab populates REQUEST
> for you via magic that doesn't happen when an access rule is called.
>
> Your script becomes:
>
> -----------------------------------------
> ## Script (Python) "accessruleHB"
> ##bind container=container
> ##bind context=context
> ##bind namespace=
> ##bind script=script
> ##bind subpath=traverse_subpath
> ##parameters=
> ##title=
>
> if context.REQUEST.SESSION.get('MySessionId') == None:
> context.REQUEST.RESPONSE.redirect('/rootfolder')
> -----------------------------------------
>
But there is a security problem with "Set Access Rule":
Any user even the unauthorized can get access to the folder (which
is restricted by set accessrule) if he adds _SUPPRESS_ACCESSRULE to the url:
http: ... testfolder/_SUPPRESS_ACCESSRULE
gives access to restricted folder testfolder.
This may be a bug or has been done to get access in case of emergency, but
it makes set accessrule (more or less) useless.
What can I do to prevent Zope to give access by adding _SUPPRESS_ACCESSRULE ?
Do I have to modify the programmes which implement set access rule ?
I even don't know where these programmes are located.
With kind regards, Juergen Berger