[Zope] major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Wed Feb 8 17:10:34 EST 2006


Sorry but this is not my experience and I have experimented. Am using gmail
basic setting which I like.

On 2/8/06, Tino Wildenhain <tino at wildenhain.de> wrote:
>
> michael nt milne schrieb:
> > Of course I did. Why on earth would you be able to view a front page of
> > a site when it is labelled as 'authenticated' and also as 'manager' ?
> > just by pressing cancel or return a few times. Big security flaw I'm
> > sorry. Also superuser passwords don't work when security is set up and
> > I've tried this on a couple of set-ups. And this is apart from the
> > usability.
>
> I dont get what you tried... many of us are doing it and it just
> works. Much easier as with apache I say. Apropos getting and trying...
> could you try to set your mail-client to text only and quote like
> all others do? This would make it easier to read what you type :-)
>
> You only remove [ ] Acquire for View and assign it to
> Authenticated or better to whatever role your users should belong.
>
> Canceling Authentication requester will not show you contents
> but the standard_error_page - unless you have a broken useragent
> (e.g. Internetexplorer) with horrible cache settings and did
> view the authenticated page before.
>
> Regards
> Tino Wildenhain
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060208/dcf8d350/attachment.htm


More information about the Zope mailing list