Re: [Zope-dev] Bugs in new Security Stuff :P (part1)

[R. David Murray]

On Tue, 22 Aug 2000, Chris Withers wrote:
> Why are they totally immune to the security stuff? It gets really
> confusing when something works fine in a management screen and yet
> breaks everywhere else, especially when it's not throwing a security
> error (more in part II ;-)
> 
> So, why is it like this?

My guess:  because part of the Zope security model is that if you
have access to the file system (ie: external method, python product)
you are allowed to do anything.  It's only when you try to call
that anything from dtml that security gets involved (unless you
code the security yourself).

Under the new security model of "denied unless explicitly permitted",
the current behavior of on-disk dtml methods is arguably wrong.

--RDM


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Bugs in new Security Stuff :P (part1)

[Chris Withers]

Right, firstup this thing about HTMLFile's which form part of the
management interface. 

Why are they totally immune to the security stuff? It gets really
confusing when something works fine in a management screen and yet
breaks everywhere else, especially when it's not throwing a security
error (more in part II ;-)

So, why is it like this?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )