[Zope] Using Access Rules
Dennis Allison
allison at sumeru.stanford.EDU
Fri Apr 30 19:27:13 EDT 2004
Duh.. you are right. It is vulnerable to several possible attacks--
a backdoor access controlling environment variable, explicit deletion
through the ZMI (I think that'll work--but I've not tried), and so forth.
Maybe you can propose a better solution. I have material which is to be
revealed only at the right time and place. For example, tests and their
answers. Our authentication is for the role and we (try to) manage access
control on the other parameters explictitly in Zope code. How do we
prevent end-round access?
On Fri, 30 Apr 2004, Jamie Heilman wrote:
> Dennis Allison wrote:
> > Suppose I have pages stored in a folder structure rooted at /foo. The
> > view security permission on /foo/... requires an Authenticated User.
> > Normally pages are served from /foo/... under programatic control and
> > additional constraints are applied. But, if the user creates another
> > browser window and if he/she knows the URL (or the root URL) they can
> > move about /foo/... however they want by simply entering the URL into
> > the browser. (This works because they are authenticated and the
> > authentication is shared in the browser.)
>
> So, why is that a problem? You can't stop that with access rules
> anyway, you can't stop anything with access rules, users can choose to
> disable them on a whim.
>
> --
> Jamie Heilman http://audible.transient.net/~jamie/
> "I was in love once -- a Sinclair ZX-81. People said, "No, Holly,
> she's not for you." She was cheap, she was stupid and she wouldn't
> load -- well, not for me, anyway." -Holly
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
More information about the Zope
mailing list