[Zope] Basic Security question (resolved)

Small Business Services toolkit at magma.ca
Thu Jun 3 08:06:59 EDT 2004


For the archives...

I was trying to set a proxy role on a dtml method to 'Authenticated' to
enable it to access image files in a subfolder which had its 'View'
permission set to authenticated.

eg.

Folder A
   |
   |-- Display method (proxy=authenticated)
   |-- Data folder (view=authenticated)
           |
           |-- image file

I kept getting security access errors with this arrangement.

The reason was that the Display method used the html tag <img
src="DataFolder/imagefile">. The proxy role  authenticated the Display
method (as expected), but the html <img> tag actually causes a second http
request to access the 'src' file, and this second http request is not
authenticated, thereby causing the security access error.



----- Original Message -----
From: "Jonathan Hobbs" <hobbs at magma.ca>
To: "Geir Bækholt" <lists at elvix.com>
Cc: "Zope mailinglist" <zope at zope.org>
Sent: May 27, 2004 4:15 PM
Subject: Re: [Zope] Basic Security question


> From: "Geir Bækholt" <lists at elvix.com>
> > On  Thu, 27 May 2004 11:09:46 -0400 GMT
> > Jonathan Hobbs asked the Zope mailinglist about the following:
> >
> > > I thought I understood permissions and roles, but...
> >
> > > I have a folder ('Data') with the 'View' security role set to
> > > 'Authenticated', and 'Acquire Permissions' is NOT checked for 'View'.
> >
> > > When, as an 'anonymous' user,  I try to access an object within the
> 'Data'
> > > folder the security popup window (enter your name/password) is
> displayed.
> > > This works as I expected it to.
> >
> > > I have created a dtml method called 'Display'.  This test routine is
> > > hardcoded to display an object from the 'Data' folder.  I have set the
> Proxy
> > > role for the Display method to "Authenticated".  When, as an
'anonymous'
> > > user, I access the 'Display' method the security popup window
appears?!
> > > Shouldn't the Proxy role assigned to the dtml method enable access to
> the
> > > object in the folder?
> >
> > Is the 'Display'-method incidentally also located inside the Data
> > folder? If that is the case, anon is still not allowed to access it,
> > and proxy /no proxy will not matter.
>
> No, the 'Display' dtml method and the 'Data' folder are both objects in
the
> same, higher level folder
>
> ie.
>
> Folder A
>    |
>    |-- Display method
>    |-- Data folder
>            |
>            |-- image file
>
> where 'image file' is the object that 'Display' method is trying to
access.
>
>
>
>
>
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>





More information about the Zope mailing list