Re: [Zope-dev] Security Question
On Saturday 24 November 2001 01:40, Andre Schubert wrote:
root/
index_html
foo/
acl_users/
bar/
Image
I have a image which could only be view by users with a role named
foobar, these users are in acl_users.
If i access the image through the web a must authenticate myself for the
first time, after that everything works well.
But if i want to access the Image via dtml-var Image from the
index_html in the root-folder a got no access.
After searching at Zope.org i tested with dtml-var
restrictedTraverse('foo/bar/Image') but this doesnt works.
How do i authenticate myself in foo if i access the folder via dtml.
In your Image object, give the Access Contents Information to the role
Anonymous (or whoever usually views index_html), but keep View forbidden
for Anonymous (allowed only for foobar role owners).
This way, the var tag (which could have been called by Anonymous) will be
able to see the object, and Zope will authenticate automatically, if this
is necessary in order to view it.
For security reasons, your Image object will not even be found, if the
caller's role does not have the Access Contents Information permission. I
find this a good idea and reason.
There is no difference whether you climb to Image using restrictedTraverse,
the with tag, or directly. All these will have identical results.
If you want to avoid the separate permission settings (because you have a lot
of Image objects you want to behave like that), either give index_html a
proxy role that has the Access Contents Information permission on Image
(or the whole bar folder), or use unrestrictedTraverse in index_html.
hth,
Danny
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security Question
Danny William Adair schrieb:
On Saturday 24 November 2001 01:40, Andre Schubert wrote:
root/
index_html
foo/
acl_users/
bar/
Image
I have a image which could only be view by users with a role named
foobar, these users are in acl_users.
If i access the image through the web a must authenticate myself for the
first time, after that everything works well.
But if i want to access the Image via dtml-var Image from the
index_html in the root-folder a got no access.
After searching at Zope.org i tested with dtml-var
restrictedTraverse('foo/bar/Image') but this doesnt works.
How do i authenticate myself in foo if i access the folder via dtml.
In your Image object, give the Access Contents Information to the role
Anonymous (or whoever usually views index_html), but keep View forbidden
for Anonymous (allowed only for foobar role owners).
So it is.
This way, the var tag (which could have been called by Anonymous) will be
able to see the object, and Zope will authenticate automatically, if this
is necessary in order to view it.
This doesn't work, because the user it not known in root where the
index_html is,
the user is known in the folder view.
For security reasons, your Image object will not even be found, if the
caller's role does not have the Access Contents Information permission. I
find this a good idea and reason.
There is no difference whether you climb to Image using restrictedTraverse,
the with tag, or directly. All these will have identical results.
If you want to avoid the separate permission settings (because you have a lot
of Image objects you want to behave like that), either give index_html a
proxy role that has the Access Contents Information permission on Image
(or the whole bar folder), or use unrestrictedTraverse in index_html.
hth,
Danny
as
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security Question
This doesn't work, because the user it not known in root where the index_html is, the user is known in the folder view. Sorry. I think I read your first email a little too fast. This behavior is normal, and meant to strengthen Zope security. You are not calling the Image object, index_html is. The user folder will not authenticate above. You are calling index_html which is above. That's why calling the Image object directly works fine. If the other way would be possible, you could switch the authenticating user_folders and thus sneak into something you weren't allowed to access: dtml-with folder_where_current_user_is_in_acl_users_and_has_foobar_role dtml-with folder_next_to_it_where_user_can_access_contents_information dtml-var some_Image_only_foobar_role_owners_can_view /dtml-with /dtml-with This means showing the bouncer your public library card, instead of (at least) your driver's license. Of course it says that you're 21... By the way, this has nothing to do with the URL. Calling /foo/bar/index_html, (hoping for acquisition leaving you with the client object bar), will bring the same result. dtml-var Image will _find_ the Image object, but index_html (which is still above) will need to show proper permissions. So you cannot do it this way. Not even unrestrictedTraverse would help you. Not even a proxy role, since you would have the same problem with the method that holds the proxy role. Where would you put it? If I understand you right, you want the user to authenticate when trying to access index_html, because that's where the protected image will be shown. (Or was the question not of practical relevance?) You either have to move index_html down to where acl_users lies, or the other way around. If you want one universal view image page, which only asks for authentication if needed for the image it is supposed to show (and doesn't for public images), then call foo/bar/Image/show with show being a method on the same level as your current index_html. Another way would be redirection. The third and by far the easiest solution is to use img src=/foo/bar/Image in index_html, because then the Image object will be requested directly and authenticates itself (on the right level). I was rebuilding your sample structure, and found something quite annoying, that might have to go into the Collecor: Access contents information looks like it is not sufficient to access image objects or their properties. dtml-var foo.bar.Image.width will need the View permission, which is not how this thing works with other object types. As soon as you _access_ an image object Zope behaves as if you were trying to render it, but you're not (yet). You might have found a Zope bug here... Hope this helps, Danny ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] security question
Tim McLaughlin wrote: root has a role called 'User' with 'View' permissions (anonymous is disabled) and acl_users has a user called joe. joe can access objects in folder2 according to the permissions set on the root by using acquisition like this: http://server/folder1/folder2/object1 joe cannot however, access them directly: http://server/folder2/object1 Does this seem strange to anybody else, or have I just been working too long? What version of Zope? What OS? Are you using a user folder other than the stock acl_users? Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] security question
It seems to me that a User should not get to keep their roles in the acquired objects which are above the User Folder in which the user is defined... However, that does not seem to be true according my testing. This is what happens. Imagine a tree like this root-folder1-acl_users \folder2-object1 root has a role called 'User' with 'View' permissions (anonymous is disabled) and acl_users has a user called joe. joe can access objects in folder2 according to the permissions set on the root by using acquisition like this: http://server/folder1/folder2/object1 joe cannot however, access them directly: http://server/folder2/object1 Does this seem strange to anybody else, or have I just been working too long? _ Tim McLaughlin iterationZERO - www.iterationzero.com 703-481-2233 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
