[Zope] Weird problem with permissions

Sun Oct 5 14:35:45 EDT 2003

> Well, some users feel that giving anonymous users the right to send mail
> is not a good ides (-:   Looks like you have this problem resolved!

Is there any way to send emails with the Mailhost except via Scripts?

>
> On Sun, 5 Oct 2003, Florian Lindner wrote:
>
>> Hello,
>> I've tracked it down:
>>
>> msg = context.confirm_subscription.absolute_url() + "?ID=" + str(rnd)
>>
>> context.MailHost.simple_send(REQUEST.email, "webmaster at centershock.net",
>> "centershocknet: confirmation required", msg)  <--
>>
>> If I uncomment the marked line, it works (the msg=... line is only for a
>> better understanding).
>> When I enable
>>    Use mailhost services
>> for anonymous it works! What are the (dangerous) implications of this
>> permission? Why is it not enabled by default?
>> Thanks,
>> Florian
>>
>> Dennis Allison wrote:
>> > Which Zope are you running.  I'd install Shane's Verbose Security
>> Product
>> > and use it to track down the protection failure.   No protection
>> problem
>> > jumps out at me from your precis code.
>> >
>> > On Sun, 5 Oct 2003, Florian Lindner wrote:
>> >
>> >
>> >>Dennis Allison wrote:
>> >>
>> >>>What does the form action do?
>> >>
>> >>Is sends the form date with post to a script:
>> >>
>> >>   <form action="generatePending" method="post">
>> >>
>> >>The script does some checks one the input data:
>> >>
>> >>   if REQUEST.name == '':
>> >>
>> >>and calls some SQL-Methods
>> >>
>> >>   context.addPendingUser(ID=rnd, name=REQUEST.name,
>> email=REQUEST.email)
>> >>
>> >>At the end it redirects to a confirmation page:
>> >>
>> >>   RESPONSE.redirect(context['conf_required.zpt'].absolute_url())
>> >>
>> >>That's about all.
>> >>
>> >>All permissions of all involved objects are set to "Acquired".
>> >>
>> >>Thanks,
>> >>Florian
>> >>
>> >>
>> >>
>> >>>On Sun, 5 Oct 2003, Florian Lindner wrote:
>> >>>
>> >>>
>> >>>
>> >>>>Dennis Allison wrote:
>> >>>>
>> >>>>
>> >>>>
>> >>>>>Look at the security sessions of the root folder from which
>> acquired
>> >>>>>permissions are derived.  I suspect that anonymous users don't have
>> the
>> >>>>>necessary permissions.
>> >>>>
>> >>>>All permission are set to Manager, except these, which additionally
>> have
>> >>>>Anonymous set:
>> >>>>
>> >>>>Access Transient Objects
>> >>>>Access contents information
>> >>>>Access session data
>> >>>>Copy or Move (why is this granted to Anons?)
>> >>>>Query Vocabulary
>> >>>>Search ZCatalog
>> >>>>Use Database Methods
>> >>>>View
>> >>>>WebDAV access
>> >>>>
>> >>>>What is wrong/misses?
>> >>>>
>> >>>>Is there anywhere and explantion of what all these permission mean?
>> >>>>
>> >>>>Thanks,
>> >>>>Florian
>> >>>>
>> >>>>
>> >>>>
>> >>>>>On Sun, 5 Oct 2003, Florian Lindner wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>Hello,
>> >>>>>>I've just discovered a strange thing with my (test-)site. I don't
>> know
>> >>>>>>if it was from the beginning, or if I changed something.
>> >>>>>>I'm using CookieCrumbler for authentication. I'm not logged in
>> >>>>>>(Anonymous User).
>> >>>>>>I've a page template with a form. The action attribute of the form
>> >>>>>>refers to python-script-object. But if I submit the script I'm
>> >>>>>>redirected to the login-page (the page set in cookie-crumber).
>> Obviously
>> >>>>>>a anon user doesn't have permissions to execute the script. All
>> >>>>>>permissions are set to acquire, in the objects and in the upper
>> folders.
>> >>>>>>Is this normal? Which permissions do I have to set?
>> >>>>>>The same behavior I've with a page template which just calls a
>> >>>>>>SQL-method and displays (tal:repeat) the results. I've changed no
>> >>>>>>security permissions.
>> >>>>>>Everything works when I'm logged in with a user.
>> >>>>>>What is wrong?
>> >>>>
>> >>>>
>> >>>>
>> >>
>> >
>>
>>
>