[Zope] major problems placing authentication on an extranet site-security flaw?

Jens Vagelpohl jens at dataflake.org
Wed Feb 8 12:05:57 EST 2006


On 8 Feb 2006, at 16:48, michael nt milne wrote:
> I get a pop-up box but the superuser manager pass doesn't work.

If the superuser password is indeed set up correctly then this is a  
fault of the user folder. There are some bad implementations out that  
that do not respect the superuser/emergency user.


> Then, even with 'authenticated' checked and using a different  
> browser to the one I'm using for the management screen, clicking  
> return on the login box over and over again eventually produces the  
> front page sans CSS. It shouldn't do this and when the extranet is  
> live, if the public were to be able to view it this would be a  
> serious risk. I've set view to authenticated only but it still lets  
> me in.
>
> I find the Zope security, permissions set-up hideously complex and  
> unusable to be honest and it doesn't even seem to work.

I'll be more explicit this time: You don't know enough to make  
blanket statements like this. From your emails it is obvious that you  
don't know much at all about the way Zope security works. You need to  
get a clue about what you're doing first. From the lack of similar  
complaints from the many Zope and Plone users out there and the lack  
of interest (meaning lack of responses to your emails) the only  
logical conclusion is that the fault is on your end.

Since this is a Plone site I would suggest you move this discussion  
to a Plone-related mailing list.

jens



More information about the Zope mailing list