Re: [Zope] major problems placing authentication on an extranet site-security flaw?
On 2/9/06, michael nt milne <[EMAIL PROTECTED]> wrote: > Over and out on this one from me and thanks for all your help Sorry but > SSL over virtual hosts *is* more involved that setting up a basic password > protect > My 2 cents on this thread: I've seen (ok, I've done, long ago) the following as a newbie when it comes to security - start checking and unchecking boxes in the security screens trying to get things to work how I want them to, get partially there, change another setting, now what used to work doesn't, now can't recall how to get back to working settings, and everything is botched. Before blaming Zope/Plone and its security, and calling it insecure or a nightmare, consider this: many of us have for years set up Zope and Plone sites with a mixture of anonymous and authentication-required areas, or totally locked down sites, using various user folders and authentication methods, and done so successfully. I don't say this to be snide - I have trained others on Zope and seen similar frustration from people when they rush in and start clicking things, or go on wild goose chases when something like browser cache may be producing the symptoms instead of a flaw with security. Careful, methodical debugging is required, and you must rule out external (non-Zope) causes. Others have pointed out that a default Plone site should not prompt you with a pop-up box (browser Basic Auth challenge) when requesting protected content. Plone and CMF sites use a login web form out of the box. Actually, from your initial post it's hard for me to tell what's going on - I can't tell whether you're trying to hit the site from perspective of a normal user, or through the ZMI you are clicking the View tab of the Plone site object. When reporting problems, it helps to clearly list your steps that produced the error. Maybe you thought you did. I'll agree that Zope security can be complex. ANY web application that features content that is available to some users, and not to others, especially when dealing with Users with Role A can view x and y, but not z, and can edit x, but not y and z, is going to be complex. Zope actually gives you a convenient way of setting that up, but the convenience also gives you a great way to shoot yourself in the foot. OT: I also use gmail because it's better IMO than any of my other options at work, and I hope I have the settings to the liking of the list (no HTML, etc). List, let me know if otherwise! Robert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Over and out on this one from me You promise? ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Over and out on this one from me and thanks for all your help Sorry but SSL over virtual hosts *is* more involved that setting up a basic password protectOn 2/9/06, Chris Withers <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> Sorry but the SSL and virtual hosting through Apache is all working fine.> It's only the authentication bit that I'm having an issue with. Should be> easy compared to what I've configured previously. Yeahright, that gives some idea of the lack of understanding you have...> And isn't it Plone? :-)No, it's Plohn, as in "Oh my god, I can't believe how much this ishurting" :-P Chris--Simplistix - Content Management, Zope & Python Consulting- http://www.simplistix.co.uk-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Sorry but the SSL and virtual hosting through Apache is all working fine. It's only the authentication bit that I'm having an issue with. Should be easy compared to what I've configured previously. Yeahright, that gives some idea of the lack of understanding you have... And isn't it Plone? :-) No, it's Plohn, as in "Oh my god, I can't believe how much this is hurting" :-P Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Sorry but the SSL and virtual hosting through Apache is all working fine. It's only the authentication bit that I'm having an issue with. Should be easy compared to what I've configured previously. And isn't it Plone? :-) On 2/9/06, Chris Withers <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> Look I'm having genuine issues here and to be honest there's no need to> become personally insulting.And what do you think you're doing by continuously coming back withphantom problems that no-one else experiences because they don't exist? And how about your insistence on having your mail setting the way _you_like it rather than how the rest of the group, who you expect to helpyou for free, might appreciate them?> I've just set-up Plone on an Windows server > with SSL Apache and multiple virtual hosts so don't take kindly to a few of> these remarks.Well, you obviously _haven't_ set these up correctly or you wouldn't behaving these problems. I've set up many instances of Zope on Windows over the years, many of them behind Apache, many of them CMF based andsome even Plohn, and I've never had the problems you're whining about.I _know_ I'm not in the minority here.My suggestion would be to go to a Plohn list that might be more forgiving in putting up with lazy incompetent people who just don't seemto get it. Either that or just give up on Zope/Plohn entirely and gosomewhere else...Failing that, you could always pay someone competent to configure your system for you *grinz*Chris--Simplistix - Content Management, Zope & Python Consulting- http://www.simplistix.co.uk -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Look I'm having genuine issues here and to be honest there's no need to become personally insulting. And what do you think you're doing by continuously coming back with phantom problems that no-one else experiences because they don't exist? And how about your insistence on having your mail setting the way _you_ like it rather than how the rest of the group, who you expect to help you for free, might appreciate them? I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks. Well, you obviously _haven't_ set these up correctly or you wouldn't be having these problems. I've set up many instances of Zope on Windows over the years, many of them behind Apache, many of them CMF based and some even Plohn, and I've never had the problems you're whining about. I _know_ I'm not in the minority here. My suggestion would be to go to a Plohn list that might be more forgiving in putting up with lazy incompetent people who just don't seem to get it. Either that or just give up on Zope/Plohn entirely and go somewhere else... Failing that, you could always pay someone competent to configure your system for you *grinz* Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
(Wed, Feb 08, 2006 at 12:00:07PM -0500) [EMAIL PROTECTED] wrote/schrieb/egrapse: > From: michael nt milne <[EMAIL PROTECTED]> > Subject: [Zope] major problems placing authentication on an extranet > site-security flaw? > I have major problems here trying to set-up authentication over a whole > Plone site using Zope. You are aware that there is a Plone mailing list? And that Plone handles many things in special ways different from "stock", plain Zope (e.g. having Groups of users)? > Using my superuser account I've navigated to the site > root page in the ZMI where it lists all the site pages and objects etc. I've > then gone into security, scrolled down to the bottom and for the 'View' > option I have tried all combinations of 'Manager', 'Authenticated' and > 'Aquire'. It simply won't work. plone.org had fine tutorials and howtos for setting up closed plone sites last time I looked. > I get a pop-up box but the superuser manager pass doesn't work. Then, even A pop-up box? Plone doesn't use that. You either have murked up your setup completely or you have set up stuff that you are not telling us. > I find the Zope security, permissions set-up hideously complex and unusable > to be honest and it doesn't even seem to work. That is the proper attitude to get help. For some people always all the world is at fault. For other people their own lack of understanding turns to the revelation that it's *their* lack and they can do something about it. Regards, Sascha ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Look I'm having genuine issues here and to be honest there's no need to become personally insulting. I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks. The last piece of my jigsaw is authenication which is becoming an issue. On 2/8/06, Chris Withers <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> I have major problems here trying to set-up authentication over a whole> Plone site using Zope. Using my superuser account I've navigated to the site> root page in the ZMI where it lists all the site pages and objects etc. I've > then gone into security, scrolled down to the bottom and for the 'View'> option I have tried all combinations of 'Manager', 'Authenticated' and> 'Aquire'. It simply won't work.You're simply doing it wrong then ;-) > I get a pop-up box but the superuser manager pass doesn't work.What does it say when you hit cancel? have you tried enabling verbosesecurity in zope.conf?> I find the Zope security, permissions set-up hideously complex and unusable > to be honest and it doesn't even seem to work.Then for gods sake stop trying to use Zope and go find some toy systemyou do understand!> Very frustrated.So are we, quit bugging us until you've learned a bit more about how things work, started with something simple, or just plain raised your IQa little ;-)Chris--Simplistix - Content Management, Zope & Python Consulting- http://www.simplistix.co.uk-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: I have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work. You're simply doing it wrong then ;-) I get a pop-up box but the superuser manager pass doesn't work. What does it say when you hit cancel? have you tried enabling verbose security in zope.conf? I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work. Then for gods sake stop trying to use Zope and go find some toy system you do understand! Very frustrated. So are we, quit bugging us until you've learned a bit more about how things work, started with something simple, or just plain raised your IQ a little ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
On 08.02.06 21:38:26, michael nt milne wrote: > Of course I did. Why on earth would you be able to view a front page of a > site when it is labelled as 'authenticated' and also as 'manager' ? just by > pressing cancel or return a few times. I just checked that with a plain Zope's index_html. I cannot view localhost:8080/ when I change the security setting of index_html to allow View only for authenticated. However I can view it when I authenticate with the initial user information. Now the same thing with a plone site, removed the view-right from front_page I get a screen telling me to authenticate. Not the "box" because Plone normally uses cookie-auth, you should be able to change that in the UserFolder. If I use the initial-user with the cookie-based-form I can see the plone site. Then I removed the View right from the plone-site-object for anonymous and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box, giving it the initial-user-info it lets me view the front_page. > Big security flaw I'm sorry. I wonder why you are the only one experiencing this... Maybe because the error is on your side (or sits in front of your monitor)? And not Zope. > Also > superuser passwords don't work when security is set up and I've tried this > on a couple of set-ups. And this is apart from the usability. What do you mean with superuser? There is no superuser, you have an initial user but that's not a user you'd normally use to login. You add new Users in the user-folder. And what usability problem are you now talking about? Andreas -- Reply hazy, ask again later. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Mark Barratt schrieb: > michael nt milne wrote: > ... > My other advice is to try not to touch ZMI security screens: if you're > using Plone you should try to set up the security you need in Plone as Ah yes, things are a bit different when plone comes in. Then Plone documentation should be consulted, of course. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne schrieb: > Sorry but this is not my experience and I have experimented. Am using > gmail basic setting which I like. Be sure mailinglist people dont like it :-) Actually it should not bee too hard to 1) create a role, lets call it "Guests" (in / ) 2) create a user: guest (in /acl_folder) with role "Guests" 3) remove [ ] acquire for "View" and if you want "Access Contents Information" and make a [x] for Manager and [x] Guests thats it. Go with a new browser (closed and reopen if you want) to / of your site and you will get the standard_error_page with "Unauthorized" if you "cancel" the login box. You can customize standard_error_page if you want. How can this be easier with Apache? I'd like to see :-) (Yes, I know Apache quite good) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work. Yes. But security is hard on any capable system, with users, groups, objects, applications all having security attributes and all those things inheriting and interacting in unexpected ways. Netware and Windows are the same. As for 'doesn't even seem to work', that may be true (welcome to Open Source!), but you may 'just' be experiencing interactions between Zope security (hideously complex, etc) and Plone security (also complex). The interactions between these systems are basically beyond ordinary humans - or, possibly, just don't work. It may be most sensible to try to hand off security to another system entirely and let Zope/Plone share/inherit it - as your original intention. If it's an extranet, can you use the surrounding network's system? Pluggable authentication can use Windows or LDAP (or, perhaps, other) authentication to provide access to a Zope/Plone, so visitors log in to your network rather than to the Zope site, and the Zope/Plone can inherit whatever the domain authentication system knows about them. My other advice is to try not to touch ZMI security screens: if you're using Plone you should try to set up the security you need in Plone as far as possible. You really don't need Plone and Zope trying to do different things at the same time: it's a fragile and complex marriage and the partners all too easily end up stalking out of the room. (this also suggests you might have better luck on the Plone discussion lists, eg nntp://gmane.comp.web.zope.plone.user) best Mark Barratt ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like. On 2/8/06, Tino Wildenhain < [EMAIL PROTECTED]> wrote:michael nt milne schrieb:> Of course I did. Why on earth would you be able to view a front page of > a site when it is labelled as 'authenticated' and also as 'manager' ?> just by pressing cancel or return a few times. Big security flaw I'm> sorry. Also superuser passwords don't work when security is set up and > I've tried this on a couple of set-ups. And this is apart from the> usability.I dont get what you tried... many of us are doing it and it justworks. Much easier as with apache I say. Apropos getting and trying... could you try to set your mail-client to text only and quote likeall others do? This would make it easier to read what you type :-)You only remove [ ] Acquire for View and assign it toAuthenticated or better to whatever role your users should belong. Canceling Authentication requester will not show you contentsbut the standard_error_page - unless you have a broken useragent(e.g. Internetexplorer) with horrible cache settings and didview the authenticated page before. RegardsTino Wildenhain-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne schrieb: > Of course I did. Why on earth would you be able to view a front page of > a site when it is labelled as 'authenticated' and also as 'manager' ? > just by pressing cancel or return a few times. Big security flaw I'm > sorry. Also superuser passwords don't work when security is set up and > I've tried this on a couple of set-ups. And this is apart from the > usability. I dont get what you tried... many of us are doing it and it just works. Much easier as with apache I say. Apropos getting and trying... could you try to set your mail-client to text only and quote like all others do? This would make it easier to read what you type :-) You only remove [ ] Acquire for View and assign it to Authenticated or better to whatever role your users should belong. Canceling Authentication requester will not show you contents but the standard_error_page - unless you have a broken useragent (e.g. Internetexplorer) with horrible cache settings and did view the authenticated page before. Regards Tino Wildenhain ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
I printed out the section on Zope security quite a while ago and read it. So it's not just in the last ten minutes. I haven't tried verbosesecurity just yet as I haven't had the time. Basically, the security should work without that. On 2/8/06, Andreas Pakulat <[EMAIL PROTECTED]> wrote: On 08.02.06 21:25:33, michael nt milne wrote:> I've just tried this on a completely different server. I also made sure that> 'access contents information' was set to 'manager' and 'authenticated'.Wow, you read the zope-book on security, setup a new zope on a server and checked this in just 10 minutes? Forgive me if I don't believe this.> The same thing happens. The main password doesn't work and also you still> get the main page contents if you keep cancelling or pressing return on the > login box.So no Plone this time? What does VerboseSecurity tell you? Do you haveto login to get access to the ZMI? Have you tried to allownon-authenticated access to the ZMI?> Complete nightmare. This was the reason I wanted to go with Apache security > as it's more robust.No it's not, it's not less robust either, at least that's what Iexperienced until now.Andreas--You can rent this space for only $5 a week.___ Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
On 08.02.06 21:25:33, michael nt milne wrote: > I've just tried this on a completely different server. I also made sure that > 'access contents information' was set to 'manager' and 'authenticated'. Wow, you read the zope-book on security, setup a new zope on a server and checked this in just 10 minutes? Forgive me if I don't believe this. > The same thing happens. The main password doesn't work and also you still > get the main page contents if you keep cancelling or pressing return on the > login box. So no Plone this time? What does VerboseSecurity tell you? Do you have to login to get access to the ZMI? Have you tried to allow non-authenticated access to the ZMI? > Complete nightmare. This was the reason I wanted to go with Apache security > as it's more robust. No it's not, it's not less robust either, at least that's what I experienced until now. Andreas -- You can rent this space for only $5 a week. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times. Big security flaw I'm sorry. Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability. On 2/8/06, Tino Wildenhain <[EMAIL PROTECTED]> wrote: michael nt milne schrieb:> Thanks for the advice. I'll have another look at the security settings> but this is undoubtedly an issue. The superuser password not working is> the main one etc. But ultimately my comments on usabiltity should be > taken on board because Zope security is overly complex.Actually its not that hard - and its just fine grained - a very strengthof zope. You can use VerboseSecurity to debug your security issues. Did you read the chapter about users and security in the zope book?RegardsTino-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne schrieb: > Thanks for the advice. I'll have another look at the security settings > but this is undoubtedly an issue. The superuser password not working is > the main one etc. But ultimately my comments on usabiltity should be > taken on board because Zope security is overly complex. Actually its not that hard - and its just fine grained - a very strength of zope. You can use VerboseSecurity to debug your security issues. Did you read the chapter about users and security in the zope book? Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
I've just tried this on a completely different server. I also made sure that 'access contents information' was set to 'manager' and 'authenticated'.The same thing happens. The main password doesn't work and also you still get the main page contents if you keep cancelling or pressing return on the login box. Complete nightmare. This was the reason I wanted to go with Apache security as it's more robust.MichaelOn 2/8/06, michael nt milne < [EMAIL PROTECTED]> wrote: Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex. On 2/8/06, Dieter Maurer < [EMAIL PROTECTED]> wrote: michael nt milne wrote at 2006-2-8 16:48 +:>I have major problems here trying to set-up authentication over a whole>Plone site using Zope. Using my superuser account I've navigated to the site>root page in the ZMI where it lists all the site pages and objects etc. I've >then gone into security, scrolled down to the bottom and for the 'View'>option I have tried all combinations of 'Manager', 'Authenticated' and>'Aquire'. It simply won't work.You can use "VerboseSecurity" to analyse difficult authorization problems."VerboseSecurity" is an integral part of Zope from 2.8 on.Previously, it has been a separate product.--Dieter-- Michael -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex. On 2/8/06, Dieter Maurer <[EMAIL PROTECTED]> wrote: michael nt milne wrote at 2006-2-8 16:48 +:>I have major problems here trying to set-up authentication over a whole>Plone site using Zope. Using my superuser account I've navigated to the site>root page in the ZMI where it lists all the site pages and objects etc. I've >then gone into security, scrolled down to the bottom and for the 'View'>option I have tried all combinations of 'Manager', 'Authenticated' and>'Aquire'. It simply won't work.You can use "VerboseSecurity" to analyse difficult authorization problems."VerboseSecurity" is an integral part of Zope from 2.8 on.Previously, it has been a separate product.--Dieter-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote at 2006-2-8 16:48 +: >I have major problems here trying to set-up authentication over a whole >Plone site using Zope. Using my superuser account I've navigated to the site >root page in the ZMI where it lists all the site pages and objects etc. I've >then gone into security, scrolled down to the bottom and for the 'View' >option I have tried all combinations of 'Manager', 'Authenticated' and >'Aquire'. It simply won't work. You can use "VerboseSecurity" to analyse difficult authorization problems. "VerboseSecurity" is an integral part of Zope from 2.8 on. Previously, it has been a separate product. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
On 08.02.06 16:48:08, michael nt milne wrote: > I have major problems here trying to set-up authentication over a whole > Plone site using Zope. Start simple, start up a plain Zope, create a ZPT or DTML and change it's view right. See what happens. > I find the Zope security, permissions set-up hideously complex and unusable > to be honest and it doesn't even seem to work. Have you read the zope documentation on how security works? Have you checked what happens when you access the Plone-url "behind the scenes"? Andreas -- You seek to shield those you love and you like the role of the provider. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] major problems placing authentication on an extranet site-security flaw?
On 8 Feb 2006, at 16:48, michael nt milne wrote: I get a pop-up box but the superuser manager pass doesn't work. If the superuser password is indeed set up correctly then this is a fault of the user folder. There are some bad implementations out that that do not respect the superuser/emergency user. Then, even with 'authenticated' checked and using a different browser to the one I'm using for the management screen, clicking return on the login box over and over again eventually produces the front page sans CSS. It shouldn't do this and when the extranet is live, if the public were to be able to view it this would be a serious risk. I've set view to authenticated only but it still lets me in. I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work. I'll be more explicit this time: You don't know enough to make blanket statements like this. From your emails it is obvious that you don't know much at all about the way Zope security works. You need to get a clue about what you're doing first. From the lack of similar complaints from the many Zope and Plone users out there and the lack of interest (meaning lack of responses to your emails) the only logical conclusion is that the fault is on your end. Since this is a Plone site I would suggest you move this discussion to a Plone-related mailing list. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] major problems placing authentication on an extranet site-security flaw?
HiI have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work. I get a pop-up box but the superuser manager pass doesn't work. Then, even with 'authenticated' checked and using a different browser to the one I'm using for the management screen, clicking return on the login box over and over again eventually produces the front page sans CSS. It shouldn't do this and when the extranet is live, if the public were to be able to view it this would be a serious risk. I've set view to authenticated only but it still lets me in. I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.Very frustrated.-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )