[Zope] Re: security (edit) problem for ttwtypes

David Vogel vogel at glue.ch
Wed Jan 14 10:13:22 EST 2004


I finally have the solution!!

after trying everything on workflows and debbuging for hours here is the 
  simple solution:

we have to edit the file: '../Products/TTWTYPE/ttwobject.py'in the 
Products directory and add a security declaration:

old code:
<snip>
def edit(self, **kwargs):
         """ update object data """
         keys=kwargs.keys()
         for field in self.fieldNames():
             if field in keys:
                 self.store(field,kwargs[field])

# set Title if `title` in keys: self.title=kwargs[`title`] 
self.reindexObject()
</snip>

new code:
<snip>
security.declareProtected( CMFCorePermissions.ModifyPortalContent, `edit` )
def edit(self, **kwargs):
         """ update object data """
         keys=kwargs.keys()
         for field in self.fieldNames():
             if field in keys:
                 self.store(field,kwargs[field])

# set Title if `title` in keys: self.title=kwargs[`title`] 
self.reindexObject()
</snip>

there are also other security declaration missing for the other fucntions...

cheers,
david.







vogel at glue.ch wrote:
> I discovered a security problem in my plone/zope installation for every
> ttw-type.
> environment:
> - plone version 1.0.5
> - os: windows 2000
> - installed products: ttwtype, zopexmlmethods
> - created ttwtype 'ttwTypnamesFoo' in folder /myPloneFolder
> 
> 1) at the root folder of my plone instance, I created a role A with
> permissions:
>    a) Access session data  und
>    b) Access Transient Objects
> 2) I created user 01 with role A
> 
> 
> - correct: the user 01 never gets to see the tab with the edit-action
> - that's why on points 3) and 4) the access to the edit-form is done by
> typing the url directly in the url-field of the browser.
> 
> 
> 3) correct:
> - if user 01 wants to edit an object of type document (e.g.
> /Plone/index_html), the edit-form will be shown, but the user cannot
> save it. (-> msg: you are not allowed....)
> - url was: http://........../Plone/index_html/portal_form/document_edit_form
> 
> 4) problem:
> - if user 01 wants to edit an object of a ttwtype (e.g.
> /myPloneFolderttwTypnamesFoo), the edit-form will be shown, and the user
> is ALLOWED to save it!!
> - url was:
> http://......./myPloneFolder/ttwTypnamesFoo/portal_form/ttw_edit_form
> 
> 
> any ideas how I can restrict the edit-and-save-access to my ttwtype objects?
> 
> 
> 
> thanks for every input,
> david.
> 
> 





More information about the Zope mailing list