[Zope] Using Access Rules

Jamie Heilman jamie at audible.transient.net
Fri Apr 30 18:51:04 EDT 2004


Dennis Allison wrote:
> Suppose I have pages stored in a folder structure rooted at /foo.  The 
> view security permission on /foo/...  requires an Authenticated User.
> Normally pages are served from /foo/... under programatic control and 
> additional constraints are applied.  But, if the user creates another
> browser window and if he/she knows the URL (or the root URL) they can 
> move about /foo/... however they want by simply entering the URL into 
> the browser.  (This works because they are authenticated and the 
> authentication is shared in the browser.)

So, why is that a problem?  You can't stop that with access rules
anyway, you can't stop anything with access rules, users can choose to
disable them on a whim.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly,
 she's not for you." She was cheap, she was stupid and she wouldn't
 load -- well, not for me, anyway."                     -Holly



More information about the Zope mailing list