[Zope-dev] Security fixes from Plone hotfix ported to Zope ?

2013-06-26 Thread Gael Le Mignot
Hello,

Plone recently released a security hotfix with a dozen of patches in it
[1].

With a quick glance at the source code of those fixes, it seemed several
of them directly patch Zope, not Plone-related products.

Is  there any  plan to  make new  releases of  Zope 2.12  and  Zope 2.13
integrating the  patches that  are meaningful for  pure-Zope (non-Plone)
applications ?

[1] http://plone.org/products/plone/security/advisories/20130618-announcement

Regards,
-- 
Gaël Le Mignot - g...@pilotsystems.net
Pilot Systems - 82, rue de Pixérécourt - 75020 Paris
Tel : +33 1 44 53 05 55 - www.pilotsystems.net
Gérez vos contacts et vos newsletters : www.cockpit-mailing.com
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security fixes from Plone hotfix ported to Zope ?

2013-06-26 Thread Matthew Wilkes

 Is  there any  plan to  make new  releases of  Zope 2.12  and  Zope 2.13
 integrating the  patches that  are meaningful for  pure-Zope (non-Plone)
 applications ?

Plone doesn't always use the latest version of Zope. These are backports.

Matt



smime.p7s
Description: S/MIME Cryptographic Signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security vulnerabiity CVE 2011-3587: Arbitrary Code Execution

2011-10-04 Thread Hanno Schlichting
The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.

This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary
commands with the privileges of the Zope service.

Versions Affected:  Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior

You can either install the Hotfix as an egg release from
http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as
an old-style product release available from
http://download.zope.org/Zope2/hotfixes/Zope_Hotfix_CVE_2011_3587-v10.tar.gz.

Alternatively you can upgrade to the latest bugfix release of Zope.
Versions 2.12.20 and 2.13.10 will be released today and include the
fix for this vulnerability.

Please refer to
http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
for more details.

The Plone community has also released a security hotfix today covering
an additional security issue. If you are using Plone, please refer to
http://plone.org/products/plone/security/advisories/20110928.

On behalf of the Zope security response team,
Hanno Schlichting
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security announcement update

2011-06-28 Thread Laurence Rowe
This is an update on today's security hotfix release.

The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2 containing the security
fix will be released at the same time.

For details on which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

For installation instructions, please see:
http://plone.org/products/plone-hotfix/releases/20110622

On behalf of the Zope and Plone security teams,

Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security announcement update

2011-06-28 Thread Sascha Welter
(Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse:
 This is an update on today's security hotfix release.

Thank you for the update, most helpful!

 The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
 (11:00am US EDT.) Updated versions of Zope 2 containing the security
 fix will be released at the same time.
 
 For details on which versions of Zope and Plone are affected, please
 see: http://plone.org/products/plone/security/advisories/20110622

It says Zope 2.10 and 2.11 users who have not installed
PloneHotfix20110720 are not affected - can I conclude from that,
that Zope 2.9 would not be affected either?

Regards,

Sascha

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security announcement

2011-06-22 Thread Laurence Rowe
On behalf of the Plone and Zope Security Teams I'd like to draw your
attention to a security announcement that has just been published.

This is a pre-announcement only, it does not contain any vulnerability
details. Your sites are a safe today as they were yesterday.  However,
as the problem that has been found is so serious we are giving you
advance warning that a patch is upcoming and recommending that you
plan a maintenance period for your sites to coincide with the full
announcement on Tuesday next week.

Full details are available at
http://plone.org/products/plone/security/advisories/pre-announcement-20110622

You can feel free to ask more questions on the plone-users mailing
list or in the #plone IRC channel about details and how to protect
yourself, but it is important to make a plan for this now.  It is
important to plan down-time at the time specified in that announcement
or your site will potentially be at risk - following the release of a
hotfix for the previous serious security vulnerability we received
reports of automated attacks on unpatched sites.


Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] security problem in an monkey-patch

2007-09-19 Thread Joachim Schmitz

Hi,

I have monkey-patched the QueueCatalog to adopt it to our needs, which 
works fine. I now wanted to introduce a new feature:


The QueueCatalog should be bypassed during mass-import of data.
So I introduced a new variable _bypass, and new getBypassQueue() and 
setBypassQueue methods in the monkey-patch:


security.declareProtected(view_management_screens, 'getBypassQueue')
def getBypassQueue(self):
get _by_pass
if not hasattr(self,_bypass):
self._bypass = False
return self._bypass

security.declareProtected(view_management_screens, 'setBypassQueue')
def setBypassQueue(self, bypass=False):
set _bypass
self._bypass = bypass

from Products.QueueCatalog.QueueCatalog import QueueCatalog
QueueCatalog.getBypassQueue = getBypassQueue
QueueCatalog.setBypassQueue = setBypassQueue


I can invoke these methods from the url like:

../portal_catalog/setBypassQueue?bypass=1

and

../portal_catalog/getBypassQueue
displays a 1

But when I do a:

input type=checkbox name=enable_bypass
   tal:attributes=checked
   here/portal_catalog/getBypassQueue /

I get:
Unauthorized: The container has no security assertions.  Access to 
'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.


What I am missing here.


--
Gruß Joachim
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] security problem in an monkey-patch

2007-09-19 Thread Dieter Maurer
Joachim Schmitz wrote at 2007-9-19 11:54 +0200:
and

../portal_catalog/getBypassQueue
displays a 1

This looks like a security bug.

You should not be able to call something via the ZPublisher
what you cannot call in a script.

Maybe, you file a bug report?



-- 
Dieter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] (Security) Hotfix_20050405 Released

2005-04-05 Thread Tres Seaver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the product README,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - Unix tarball,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.tar.gz

  - Windows ZIP archive,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.zip


Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  Zope Dealers   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUsvGGqWXf00rNCgRAt3qAJ42sH4BIPP9+S1g+ZnpwS9YopcggQCfYnvw
hXfT3SOxuL1y1adv5zmv3v8=
=smRT
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] (Security) Hotfix_20050405 Released (URL correction)

2005-04-05 Thread Tres Seaver
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the product README,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - Unix tarball,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.tar.gz

  - Windows ZIP archive,
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.zip


Apologies for the earlier typoed URLs.

Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  Zope Dealers   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUtIhGqWXf00rNCgRAitxAJ9Vualp5LLSrMQb1T799UWKa1UJoQCgmCJ2
EqH0Sj4RN0V8o1ldX6C1g90=
=1lBU
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security declarations vanish over time?!

2004-03-18 Thread Chris Withers
Hi there,

I have a little help class:

class NamesProxy:

__allow_access_to_unprotected_subobjects__=1

def __init__(self,names):
self.names=names
def __getitem__(self,item):
return self.names[item]
def __len__(self):
return len(self.names)
...which lets me do batches over .objectValues() of BTreeFolders without ZOpe's 
security whining.

Any, so that I can do:

tal:x define=Batch   nocall:modules/ZTUtils/Batch;
   NamesProxy  nocall:modules/Products/MyProduct/NamesProxy;
...I have the following in MyProduct's __init__.py:

from AccessControl import ModuleSecurityInfo
ModuleSecurityInfo('Products').declarePublic('MyProduct')
security = ModuleSecurityInfo()
# make NamesProxy usable from PageTemplates
from namesproxy import NamesProxy
security.declarePublic('NamesProxy')
security.apply(globals())
...all well and good, yes?

Okay, now it gets weird :-S

This works fine for a while (as in period of time) and then you start getting 
errors of the following sort:

  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/TALES.py, line 
217, in evaluate
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 206, in __call__
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 194, in _eval
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 150, in _eval
(Info: modules)
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 346, in restrictedTraverse
(Object: Products.ScreenDigest)
(Info: {'path': ['Products', 'MyProduct', 'NamesProxy'], 
'TraversalRequestNameStack': []})
Unauthorized: You are not allowed to access NamesProxy in this context

What gives?

Weirder still, this can be fixed by restarting Zope... until the next time it 
starts doing it :-(

Any ideas?

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security validation issue

2004-01-30 Thread Chris Withers
Herman Geldenhuys wrote:

I've written a Zope product that exposes a MenuItem. I add a menuItem 
in a Zope folder, and I have no difficulty accessing and editing it via 
the ZMI. I've written an xml-rpc-like protocol for Zope, that basically 
validates the security manually.
What do you mean by manually?

This code works for any other default Zope type, but not mine. Did I 
perhaps forgot a permission or something?
Did you do security declarations for that method?

I can access this fine via the ZMI, but when I validate it this way, 
python just starts cursing at me.
Why are you doing you own validation? ;-)

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security validation issue

2004-01-30 Thread Herman Geldenhuys
Hi

 Herman Geldenhuys wrote:

  I've written a Zope product that exposes a MenuItem. I add a menuItem
  in a Zope folder, and I have no difficulty accessing and editing it via
  the ZMI. I've written an xml-rpc-like protocol for Zope, that basically
  validates the security manually.

 What do you mean by manually?

By manually I mean that I have to do the validation myself. I have written a
new protocol that plugs into the Zope application server. It's called OZE
and I am about to release the source on sourceforge. Its an RPC-like
protocol. But in a nutshell, I must do the security validation myself,
because I bypass a few usual-Zope elements in the framework.

I will gladly answer any other questions, but will this satisfy for now?

H

- Original Message - 
From: Chris Withers [EMAIL PROTECTED]
To: Herman Geldenhuys [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, January 30, 2004 10:48 AM
Subject: Re: [Zope-dev] Security validation issue


 Herman Geldenhuys wrote:

  I've written a Zope product that exposes a MenuItem. I add a menuItem
  in a Zope folder, and I have no difficulty accessing and editing it via
  the ZMI. I've written an xml-rpc-like protocol for Zope, that basically
  validates the security manually.

 What do you mean by manually?

  This code works for any other default Zope type, but not mine. Did I
  perhaps forgot a permission or something?

 Did you do security declarations for that method?

  I can access this fine via the ZMI, but when I validate it this way,
  python just starts cursing at me.

 Why are you doing you own validation? ;-)

 cheers,

 Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security validation issue

2004-01-28 Thread Herman Geldenhuys



I've written a Zope product that exposes a 
"MenuItem". I add a menuItem in a Zope folder, and I have no difficulty 
accessing and editingit via the ZMI. I've written an xml-rpc-like protocol 
for Zope, that basically validates the security "manually". 

This menuItem has an attribute called "def 
getVersion(self):" which returns an int.

This is the Code that prevents me from accessing 
the method in python, via my protocol:

if not 
AccessControl.getSecurityManager().validate(None, object, 
attributes[-1]): 
raise UnauthorisedAccessException('Unauthorised: ' + 
originalAddress)

object = bound method HWMenuItem.getVersion of HWMenuItem instance at 
01B7B290
 
This is the method getVersion

attributes[-1] = 
"getVersion" (string)

UnauthorisedAccessException: Unauthorised: 
menus.administration.addUser.getVersion

This code works for any other default Zope type, 
but not mine. Did I perhaps forgot a permission or something?

I can access this fine via the ZMI, but when I 
validate it this way, python just starts cursing at me.

Can somebody help?

Thanks

H

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security audit introduced problem in PageTemplates/Expression.py

2004-01-14 Thread Stuart Bishop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/01/2004, at 4:19 PM, Stuart Bishop wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
As well as in other locations such as ZopeGuards.py.

I've opened http://collector.zope.org/Zope/1182 with some
example code.
Anyone know if None is being passed as the name in some locations?
I don't think it would be helpful for me to go around reversing
code changed by a security audit without some background.
- --  Stuart Bishop [EMAIL PROTECTED]
http://www.stuartbishop.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFABgNqAfqZj7rGN0oRApeyAJ0Y4BzVbQfOdq2rpaH/m1e9cip/RACfUqzq
i1nr0FrFG544SCKh7dReZVk=
=4TUc
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security audit introduced problem in PageTemplates/Expression.py

2004-01-12 Thread Stuart Bishop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
***
*** 312,318 
  # Skip directly to item access
  o = object[name]
  # Check access to the item.
! if not validate(object, object, name, o):
  raise Unauthorized, name
  object = o
  continue
- --- 307,313 
  # Skip directly to item access
  o = object[name]
  # Check access to the item.
! if not validate(object, object, None, o):
  raise Unauthorized, name
  object = o
  continue
***
*** 367,373 
  raise
  else:
  # Check access to the item.
! if not validate(object, object, name, o):
  raise Unauthorized, name
  object = o
- --- 362,368 
  raise
  else:
  # Check access to the item.
! if not validate(object, object, None, o):
  raise Unauthorized, name
  object = o
This has the side effect of not passing the name attribute to
my security assertion methods registered via
ClassSecurityInfo.setDefaultAccess:
class Foo(blah, blah, blah):
security = ClassSecurityInfo()
def _checkAccess(self, name, value):
if name.startswith('CG'):
return 1
return 0
security.setDefaultAccess(_checkAccess)
def __getitem__(self, key):
''' Access via dictionary interface, with security
provided via _checkAccess
'''
return 'example'
Reversing the changes to Expression.py seems to break lots of
things (including SiteErrorLog), so I'm sure this is much more
involved.
Can anyone shed light onto what is going on?

- --  
Stuart Bishop [EMAIL PROTECTED]
http://www.stuartbishop.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8
+uCQkzQGvbgIzW8Sb4C9kAE=
=7xyW
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] security issue

2003-08-14 Thread Dieter Maurer
Toby Gustafson wrote at 2003-8-14 04:35 -0700:
  ...
 I am having a problem accessing a function defined in a product I have
  created and installed.
  ...
  From that script I try to call the
  function with the lines:
  
 from Products.StoreEvent import StoreEvent
  
 ...
  
 storeEvents = StoreEvents.searchForStoreEvents(context, ...)
  
  ...
  You are not allowed to access searchForStoreEvents in this
  context.
  
  I have read the security document at:
  
 http://www.zope.org/Documentation/Books/ZDG/current/Security.stx
  
  and have tried adding several things to my StoreEvent.__init__.py file,
  such as:
  
 modulesecurity = ModuleSecurityInfo()
 modulesecurity.declarePublic( \
   'Products.StoreEvent.searchForStoreEvents')
 modulesecurity.apply(globals())

ModuleSecurityInfo is quite complex. I do not understand it completely.

However, I see one error in your code: in your declarePublic,
one StoreEvent is missing.
Your seachForStoreEvents is at
'Products.StoreEvent.StoreEvent.searchForStoreEvents'

  However, nothing seems to work.  Anybody have any idea what I am doing
  wrong.

The AccessControl.allow_module may be simpler to use
(however, it make available the complete module content).


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] security issue

2003-08-14 Thread Toby Gustafson

Hello,

   I am having a problem accessing a function defined in a product I have
created and installed.

   The product is called StoreEvent, and it was created using the
PloneMinimalInstall as a guide.

   In the StoreEvent product is a file called StoreEvent, which contains a
function searchForStoreEvents.  This function is outside of the StoreEvent
class which is also defined in the file.

   I have created a page template which contains a form, and when the form
is submitted, a script is executed.  From that script I try to call the
function with the lines:

   from Products.StoreEvent import StoreEvent

   ...

   storeEvents = StoreEvents.searchForStoreEvents(context, ...)

When I bring up the page and submit it, I get a popup asking me to enter a
username and password.  When I cancel that, I get an error page with the
message You are not allowed to access searchForStoreEvents in this
context.

I have read the security document at:

   http://www.zope.org/Documentation/Books/ZDG/current/Security.stx

and have tried adding several things to my StoreEvent.__init__.py file,
such as:

   modulesecurity = ModuleSecurityInfo()
   modulesecurity.declarePublic( \
 'Products.StoreEvent.searchForStoreEvents')
   modulesecurity.apply(globals())

However, nothing seems to work.  Anybody have any idea what I am doing
wrong.

Thanks in advance,
--Toby.
---
Toby Gustafson
Senior Software Engineer
Tyrell Software Corporation
Email: [EMAIL PROTECTED]
---



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-19 Thread Steve Alexander

Shane Hathaway [EMAIL PROTECTED] wrote:

Do you not want foo to have the Manager role?


Andre Schubert wrote:

No, because he is no longer in our company.


Shane Hathaway [EMAIL PROTECTED] wrote:

I think you're asking for a find + chown utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Andre Schubert wrote:

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)


Andre,

Don't treat this so lightly! When you take ownership of objects where 
foo is the owner, you are telling Zope that you take responsibility for 
those objects.

For example, let's say foo had written a python script for removing all 
of her files older than one day.

Here's some pseudocode:

  For all files older than one day:
try:
  remove the file
except PermissionError:
  pass

This will work, provided foo has rights to delete only foo's files.
If you take ownership of such a script, and you run it, then it will 
very different effects.

Also, if you are a Manager (or in another privaleged role), and you take 
ownership of such a script, you may be allowing others to delete their 
own files when they run that script, whereas before nothing much would 
have happened.


In 99% of cases, none of this will be a problem. However, you should 
take care when taking ownership of objects, especially objects that 
represent code such as python scripts and dtml methods and page templates.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Security-Problem

2003-02-18 Thread Andre Schubert
Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. 
Access to 'foobar' of (Folder instance at 932b600) denied. Access requires 
View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing 
script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles 
['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar (dtml-call foobar).
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get 
the above error.

I have the same problem with a really big Zope-Site where i have the remove 
Manager-Roles
from a specific user. The only solution i have found is to recreate the DTMLMethods, 
but
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)

Regards, as

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security-Problem

2003-02-18 Thread Shane Hathaway
On 02/18/2003 09:16 AM, Andre Schubert wrote:

I try to explain what happens. Lets say i have a user called foo who
has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
a folder called bar and foobar. foobar is called from inside bar
(dtml-call foobar). He also created a Role MSAdmin. bar is
accessible and visible by Anonymous Users. foobar is accessible and
visible by MSAdmin and Manager. If i view bar and login as a user
with MSAdmin-Roles everything works fine. But if i remove the
Manager-Role from foo who has created the two DTMLMethods i get the
above error.


Do you not want foo to have the Manager role?


I have the same problem with a really big Zope-Site where i have the
remove Manager-Roles from a specific user. The only solution i have
found is to recreate the DTMLMethods, but it is very hard to
reacreate all DTMLMethods created by foo.


I think you're asking for a find + chown utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-18 Thread Joachim Werner
Andre Schubert schrieb:

Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar (dtml-call foobar).
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error.

I have the same problem with a really big Zope-Site where i have the remove Manager-Roles
from a specific user. The only solution i have found is to recreate the DTMLMethods, but
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)


Non-authoritative answer:

As far as I know the problem is ownership. If you want to access objects 
whose owner is gone you get into trouble.

So there are probably two solutions:

a) DO NOT delete the owner
b) Let somebody else take over the ownership



--

iuveno AG

Joachim Werner

_

Wittelsbacherstr. 23b
90475 Nürnberg

[EMAIL PROTECTED]
www.iuveno.de

Tel.: +49 (0) 911/ 9 88 39 84


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-18 Thread Andre Schubert
On Tue, 18 Feb 2003 12:01:45 -0500
Shane Hathaway [EMAIL PROTECTED] wrote:

 On 02/18/2003 09:16 AM, Andre Schubert wrote:
  I try to explain what happens. Lets say i have a user called foo who
  has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
  a folder called bar and foobar. foobar is called from inside bar
  (dtml-call foobar). He also created a Role MSAdmin. bar is
  accessible and visible by Anonymous Users. foobar is accessible and
  visible by MSAdmin and Manager. If i view bar and login as a user
  with MSAdmin-Roles everything works fine. But if i remove the
  Manager-Role from foo who has created the two DTMLMethods i get the
  above error.
 
 Do you not want foo to have the Manager role?

No, because he is no longer in our company.

 
  I have the same problem with a really big Zope-Site where i have the
  remove Manager-Roles from a specific user. The only solution i have
  found is to recreate the DTMLMethods, but it is very hard to
  reacreate all DTMLMethods created by foo.
 
 I think you're asking for a find + chown utility, right?  I don't know 
 of one, but it sure would be nice to have. :-)
 

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )



[Zope-dev] Security problems importing from python package.

2002-11-25 Thread Clemens Robbenhaar

At Thu, 21 Nov 2002 12:16:09 +, Chris Withers wrote:

  I'm trying to get stripogram working from Script(Pythons). I thought I had it, 
  but it appears I don't.
  
  I added the following in the __init__.py of the stripogram package:
  
  try:
   from AccessControl import ModuleSecurityInfo,allow_module
  except ImportError:
   # no Zope around
   raise
  else:
   allow_module('stripogram')
   ModuleSecurityInfo('stripogram').declareObjectPublic()
   ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')
  

 This issue is most probably resolved somewhere in between, but I can
not find any trace of this at [EMAIL PROTECTED] nor [EMAIL PROTECTED], thus I
drop in my 2 cents here.


  I did just now run into a similar problem, and may offer the following
explanation after some debugging:

 It seems the 'allow_module', etc, gets not executed by Zope in advance,
except if this is the __init__.py of a 'Product', or this module is
imported by some core module or product. This is quite standard python
behaviour; the module is not initialized before import, and Zope does
some extra work to initialize all products on startup.


 If one tries to import the code from a python script, the security
machinery first check, if the module has some security info, and imports
it afterwards, if the info is found. But as the module is not imported
anyway, it is not initialized, and has not such info and thus will not
be allowed for import. 
 It seems there is some chicken and egg problem here, or I have missed
something completely.

 The workaround is to insert a dummy 'import stripogram' in some
product, which triggers the security info creation -- or make the little
helper scripts a product of its own.


  I don't think either the allow_module or the declareObjectPublic() should be 
  necessary. However, the declareObjectPublic at least made this test pass:
  
   from Products.PythonScripts.PythonScript import PythonScript
   theScript = PythonScript('test')
   theScript.ZBindings_edit({})
   theScript.write(from stripogram import html2text\nreturn 
  html2text('ihello/i'))
   theScript._makeFunction()
   self.assertEqual(theScript(),'hello')
  

This works, as Your test code imports something via file system (no
access restriction) from module stripogram first and then creates the
test script, which finds the module info on import as the module is
intialized yet.

  But even adding the 'allow_module' won't let the following Script (Python) 
  created through the ZMI work:
  
  from stripogram import html2text
  
  The error I get is:
  
Error Type: ImportError
  Error Value: import of stripogram is unauthorized

 In this case the module has not been initialized yet, and the TTW
access is the first import, which failes due to the security
restrictions problem mentioned above.


 Hope this helps; and hope someone can point me out I am wrong on the
chicken and egg problem of 'non-Product' module import. 


Cheers,
Clemens 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Security problems importing from python package.

2002-11-21 Thread Chris Withers
Hi,

I'm trying to get stripogram working from Script(Pythons). I thought I had it, 
but it appears I don't.

I added the following in the __init__.py of the stripogram package:

try:
from AccessControl import ModuleSecurityInfo,allow_module
except ImportError:
# no Zope around
raise
else:
allow_module('stripogram')
ModuleSecurityInfo('stripogram').declareObjectPublic()
ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')

I don't think either the allow_module or the declareObjectPublic() should be 
necessary. However, the declareObjectPublic at least made this test pass:

from Products.PythonScripts.PythonScript import PythonScript
theScript = PythonScript('test')
theScript.ZBindings_edit({})
theScript.write(from stripogram import html2text\nreturn 
html2text('ihello/i'))
theScript._makeFunction()
self.assertEqual(theScript(),'hello')

But even adding the 'allow_module' won't let the following Script (Python) 
created through the ZMI work:

from stripogram import html2text

The error I get is:

 Error Type: ImportError
Error Value: import of stripogram is unauthorized

  File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
(Object: tester)
(Info: ({'script': PythonScript instance at 012CB4D8, 'context': 
Application instance at 012B92D8, 'container': Application instance at 
012B92D8, 'traverse_subpath': []}, (), {}, None))
  File Script (Python), line 1, in tester
  File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)

What am I doing wrong? Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?

cheers,

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )


[Zope-dev] Security Testing

2002-10-14 Thread Chris Withers

Hi,

I'd like to build a suite of security tests for a product I'm writing using 
unittest.py.

Is this possible?

I thought about using newSecurityManager with various known users, and 
restrictedTraverse to get to the appropriate methods, but then how do I test if 
those methods are callable?

cheers,

Chris

PS: How is all this being tackled in Zope 3?


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Testing

2002-10-14 Thread Stefan H. Holek

Chris!

You might want to take a look at my ZopeTestCase package. It supports Zope 
security testing with users, roles, permissions and all.
http://www.zope.org/Members/shh/ZopeTestCase/

Also see the tests coming with the ReplaceSupport and DocFinderEverywhere 
products. In essence restrictedTraverse() will work. Alternatively you 
could call getSecurityManager().validate() or .validateValue() directly.

HTH,
Stefan


--On Montag, 14. Oktober 2002 15:49 +0100 Chris Withers [EMAIL PROTECTED] 
wrote:

 Hi,

 I'd like to build a suite of security tests for a product I'm writing
 using unittest.py.

 Is this possible?

 I thought about using newSecurityManager with various known users, and
 restrictedTraverse to get to the appropriate methods, but then how do I
 test if those methods are callable?

 cheers,

 Chris

 PS: How is all this being tackled in Zope 3?
--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security-Bug

2002-05-13 Thread Dieter Maurer

Andre Schubert writes:
  If i have the permission to view the management screens i be able to add Zope 
 Permissions... is this a security bug or not ?
It probably is.

I have been really unable to read this from your previous report, sorry!


Dieter


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security-Bug

2002-05-12 Thread Andre Schubert

On Wed, 8 May 2002 23:04:08 +0200
Dieter Maurer [EMAIL PROTECTED] wrote:

 Andre Schubert writes:
   could this be a bug in the security-machinery?
   
   Lets say we have a role foo, this role has the permission to view the management 
screens.
   Lets say we have a user bar which has the role foo.
   
   If i login into the ZMI a be able to go to
   Control_Panel/Products.
   And now if i want i be able to add a Zope Permission in every Product-Folder i 
found.
   
   Testet with Zope 2.4.3
   
   Do i have misset any security-permissions or is this really a bug?
 I do not understand what your problem is...
 
   What does not work?
   
 
 Dieter
 
If i have the permission to view the management screens i be able to add Zope 
Permissions... is this a security bug or not ?


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread vio

Just a word to thank you for your reply. 
But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
to throw an error
or a warning of some kind for hanging 'security.stuff()' declarations,
declarations which do not have a related ClassSecurityInfo object AT THE
CLASS LEVEL? To the unaware beginner (like myself) this creates
a very obscure bug: the declaration at the module level 'hiding' the missing
ClassSecurityInfo object (at the class level). I see some other discussions
on this list on this topic, so maybe this problem is already being addressed.
Anyway, I would never have found this alone by a long shot. Thanks.
Sorry for the cross-post.

* Steve Alexander [EMAIL PROTECTED] [020118 15:43]:
 vio wrote:
   Could someone have a look at the following 'Boring' class with the
   security functionality added (as described in ZopeBook/6.Security
   and some other products). Could 'security' machinery be broken in
   Zope-2.4.1 ? It surely doesn't seem to work as adverised, on my
   machine at least (Debian Linux 2.2, Zope 2.4.1 (source release)
   python 2.1.0, linux2). Tell me if it works on your installation.
 
  
   Boring.py  __doc__ =  __version__
   = '0.1' import Globals from Globals import HTMLFile  # fakes a
   method from a DTML file from Globals import MessageDialog # provid from
   Globals import Persistent# makes an object stick in the ZODB import
   OFS.SimpleItem import Acquisition import AccessControl.Role from
   AccessControl import ClassSecurityInfo
  
   READ_PERM = 'View Stuff' WRITE_PERM = 'Change Stuff' security =
   ClassSecurityInfo()
 
 
 You have declared your ClassSecurityInfo object at the module level,
 rather than as an attribute of the class you wish to make security
 statements about.
 
 Please do not cross-post to both [EMAIL PROTECTED] and [EMAIL PROTECTED] 
 Post to one or the other.
 
 --
 Steve Alexander

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread Steve Alexander

vio wrote:
 Just a word to thank you for your reply. 
 But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
 to throw an error
 or a warning of some kind for hanging 'security.stuff()' declarations,
 declarations which do not have a related ClassSecurityInfo object AT THE
 CLASS LEVEL? 

That would be a fine idea. Unfortunately, there is no straightforward 
way telling that you called methods on the security object in the class 
definition.

When you call Globals.InitializeClass(your_class), it looks for a 
ClassSecurityInfo object, and doesn't find one.

The fact that your class definition had the side-effect of altering the 
module's security object doesn't leave any traces in the class object 
that results from your definition.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread vio

* vio [EMAIL PROTECTED] [020119 09:56]:
 vio wrote:
  Just a word to thank you for your reply. 
  But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
  to throw an error
  or a warning of some kind for hanging 'security.stuff()' declarations,
  declarations which do not have a related ClassSecurityInfo object AT THE
  CLASS LEVEL? 
 
 That would be a fine idea. Unfortunately, there is no straightforward 
 way telling that you called methods on the security object in the class 
 definition.

Why not simply check for the keyword 'security.' in the class source ? 
Anything beginning with that word most probably has something to do with 
security. But if 'security' is not a reference to a security object,
just throw an exception. This would make everything so much simpler.

 
 When you call Globals.InitializeClass(your_class), it looks for a 
 ClassSecurityInfo object, and doesn't find one.


If I understood correctly, this should be treated like an error:
not allow the programmer to have calls to security methods which
aren't there, because that's more or less what's happening here. And
definitely not be silent about it !!! That's a syntax error or something.

So Globals.InitializeClass(your_class) finds the declaration 
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
no effect at the class level (while I wrongly thought that by declaring it
at the module level like that, it will behave more or less like a 'global'
variable). I wonder what was carried at the class level, but something 
definitely was, else Python would have thrown something ugly at me.

In my opinion, Globals.InitializeClass() should check such calls to
security methods, and by all means NOT remain silent if it can not carry out 
the call because it couldn't find a ClassSecurityInfo object's method. 
Throw a 'method not found' error or something like that. 
Silence = 'bad'. I'll even say it's a bug.

Vio

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread Steve Alexander

vio wrote:

deletia

 So Globals.InitializeClass(your_class) finds the declaration 
 'security.declareSomething()' inside a class, but 'security' being
 a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
 no effect at the class level (while I wrongly thought that by declaring it
 at the module level like that, it will behave more or less like a 'global'
 variable).

deletia

 In my opinion, Globals.InitializeClass() should check such calls to
 security methods

You appear not to understand how Python and the declarative security 
system in Zope work.

Globals.InitializeClass() does not read the source to your modules. You 
would need some sort of lint tool to perform the checking you describe.


Why not try to implement a simple case of the error-correcting system 
that you describe? You might want to extend an existing lint tool such 
as PyChecker, to take account of conventions used in Zope products.

   http://pychecker.sourceforge.net/

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread vio

You are right, I struggled a lot to understand Zope's declarative security 
model. And I am still learning, so practice makes better. I didn't read 
Globals.InitializeClass() source, and I wrote my following comments out of the 
blue. Developping an error-correcting system might still be a little out
of my league, for now.
Anyway, the important thing is that your initial comments regarding Boring.py
were right on target: 'security = ClassSecurityInfo()' must be declared
INSIDE the class. It really solved my problem. 
Thanks again !!!

Cheers,
Vio


* Steve Alexander [EMAIL PROTECTED] [020119 11:05]:
 vio wrote:
 
 deletia
 
  So Globals.InitializeClass(your_class) finds the declaration 
  'security.declareSomething()' inside a class, but 'security' being
  a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
  no effect at the class level (while I wrongly thought that by declaring it
  at the module level like that, it will behave more or less like a 'global'
  variable).
 
 deletia
 
  In my opinion, Globals.InitializeClass() should check such calls to
  security methods
 
 You appear not to understand how Python and the declarative security 
 system in Zope work.
 
 Globals.InitializeClass() does not read the source to your modules. You 
 would need some sort of lint tool to perform the checking you describe.
 
 
 Why not try to implement a simple case of the error-correcting system 
 that you describe? You might want to extend an existing lint tool such 
 as PyChecker, to take account of conventions used in Zope products.
 
http://pychecker.sourceforge.net/
 
 --
 Steve Alexander

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread Phillip J. Eby

At 10:43 AM 1/19/02 -0500, vio wrote:
* vio [EMAIL PROTECTED] [020119 09:56]:

So Globals.InitializeClass(your_class) finds the declaration
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has
no effect at the class level (while I wrongly thought that by declaring it
at the module level like that, it will behave more or less like a 'global'
variable). I wonder what was carried at the class level, but something
definitely was, else Python would have thrown something ugly at me.

Check the Python reference manual -- not the library reference, but the 
language definition.  You'll find that Python has two primary scopes: 
local and global.  When a class statement is executing, the local 
namespace is the future __dict__ of the class, and the global namespace is 
the module __dict__.  If security.Foo() is in the body of a class, and 
security is not in the *local* namespace (i.e. already defined in the 
class body), then it will be looked up in the global namespace.  Thus, your 
calls went to the module-level security, but no security object was 
present in the resulting class (because there was no statement placing one 
there).

IMHO, you don't want to share a security object between more than one 
class, since presumably they will have different declarations and thus each 
require their own.  So there's no reason to create a ClassSecurityInfo 
object at the module level, anyway.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Gurus Wanted

2002-01-19 Thread vio

* Phillip J. Eby [EMAIL PROTECTED] [020119 12:04]:
 ...
 IMHO, you don't want to share a security object between more than one 
 class, since presumably they will have different declarations and thus each 
 require their own.  So there's no reason to create a ClassSecurityInfo 
 object at the module level, anyway.

Good point. Actually, I only declared ClassSecurityInfo object at the module
level out of convenience: I thought each class (presuming there were more
than one in the module) could reference that same security object, so maybe
save a few CPU cycles in the process (plus, I saw this done in some product
I used as a learning example). But your point is well taken ... plus 
module-level security declarations have no effect at the class level.

Vio

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Security Gurus Wanted

2002-01-18 Thread vio

Could someone have a look at the following 'Boring' class with the security 
functionality added (as described in ZopeBook/6.Security and some other products). 
Could 'security' machinery be broken in Zope-2.4.1 ? It surely doesn't seem to work as 
adverised, on my machine at least (Debian Linux 2.2, Zope 2.4.1 (source release) 
python 2.1.0, linux2). Tell me if it works on your installation.


Boring.py

__doc__ = 
__version__ = '0.1'
import Globals
from Globals import HTMLFile  # fakes a method from a DTML file
from Globals import MessageDialog # provid
from Globals import Persistent# makes an object stick in the ZODB
import OFS.SimpleItem
import Acquisition
import AccessControl.Role
from AccessControl import ClassSecurityInfo

READ_PERM = 'View Stuff'
WRITE_PERM = 'Change Stuff'
security = ClassSecurityInfo()

manage_addBoringForm = HTMLFile('boringAdd', globals())
def manage_addBoring(self, id, title='', REQUEST=None):
Add a Boring to a folder.
self._setObject(id, Boring(id, title))
if REQUEST is not None:
return self.manage_main(self, REQUEST)

class Boring(
OFS.SimpleItem.Item,   # A simple Principia object. Not Folderish.
Persistent,# Make us persistent. Yaah!
Acquisition.Implicit,  # Uh, whatever.
AccessControl.Role.RoleManager # Security manager.
):
Boring object. 
meta_type = 'Boring' # what do people think they're adding?
manage_options = ( # what management options are there?
{'label': 'Edit',   'action': 'manage_main'},
{'label': 'View',   'action': ''}, # defaults to index_html
{'label': 'Security',   'action': 'manage_access'},
)

# NOTE: commented out following as it seem to conflict with 
#  'security.declareP...()' declarations later on
#__ac_permissions__=( # what permissions make sense for us?
#   ('View management screens', ('manage_tabs','manage_main')),
#   ('Change permissions',  ('manage_access',)   ),
#   ('Change Borings' , ('manage_edit',) ),
#   ('View Borings',('',)),
#   )

def __init__(self, id, title=''):
initialise a new instance of Boring
self.id = id
self.title = title

#   SECURITY -   
# here I played with '#'s, then simply tried to access 'index_html'
# after each security declaration,
# as user 'Anonymous', and noted the results on same line. 
# 'NOT-WORKING' simply means not working as advertised (allowed access when 
# it shouldn't, and vice-versa). As you can see, there are too many 
# 'NOT-WORKING' results. Do you come to similar results?
# My conclusion is that security declarations have no effect whatsoever,
# whether I declare something, then its oposite, I end up with the same
# result. This shouldn't be.

security.setPermissionDefault(READ_PERM,
['Stuff Manager','Manager'])
security.setDefaultAccess('deny')   #   == NOT-WORKING

#   security.declarePrivate('index_html')   #   == NOT-WORKING
#   security.declarePublic('index_html')#   == OK
#   security.declareProtected(READ_PERM, 'index_html') #  == NOT-WORKING

index_html = HTMLFile('index', globals())

security.declarePublic('manage_main')   #   == NOT-WORKING
manage_main = HTMLFile('boringEdit', globals())

def manage_edit(self, title, REQUEST=None):
 
self.title = title
if REQUEST is not None:
return MessageDialog(
title = 'Edited',
message = Properties for %s changed. % self.id,
action = './manage_main',
)

Globals.InitializeClass(Boring)



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Question

2001-11-28 Thread Danny William Adair

On Saturday 24 November 2001 01:40, Andre Schubert wrote:
 root/
   index_html
   foo/
 acl_users/
 bar/
   Image

 I have a image which could only be view by users with a role named
 foobar, these users are in acl_users.
 If i access the image through the web a must authenticate myself for the
 first time, after that everything works well.
 But if i want to access the Image via dtml-var Image from the
 index_html in the root-folder a got no access.
 After searching at Zope.org i tested with dtml-var
 restrictedTraverse('foo/bar/Image') but this doesnt works.
 How do i authenticate myself in foo if i access the folder via dtml.

In your Image object, give the Access Contents Information to the role 
Anonymous (or whoever usually views index_html), but keep View forbidden 
for Anonymous (allowed only for foobar role owners).

This way, the var tag (which could have been called by Anonymous) will be 
able to see the object, and Zope will authenticate automatically, if this 
is necessary in order to view it.

For security reasons, your Image object will not even be found, if the 
caller's role does not have the Access Contents Information permission. I 
find this a good idea and reason.

There is no difference whether you climb to Image using restrictedTraverse, 
the with tag, or directly. All these will have identical results.

If you want to avoid the separate permission settings (because you have a lot 
of Image objects you want to behave like that), either give index_html a 
proxy role that has the Access Contents Information permission on Image 
(or the whole bar folder), or use unrestrictedTraverse in index_html.

hth,
Danny

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Question

2001-11-28 Thread Andre Schubert

Danny William Adair schrieb:
 
 On Saturday 24 November 2001 01:40, Andre Schubert wrote:
  root/
index_html
foo/
  acl_users/
  bar/
Image
 
  I have a image which could only be view by users with a role named
  foobar, these users are in acl_users.
  If i access the image through the web a must authenticate myself for the
  first time, after that everything works well.
  But if i want to access the Image via dtml-var Image from the
  index_html in the root-folder a got no access.
  After searching at Zope.org i tested with dtml-var
  restrictedTraverse('foo/bar/Image') but this doesnt works.
  How do i authenticate myself in foo if i access the folder via dtml.
 
 In your Image object, give the Access Contents Information to the role
 Anonymous (or whoever usually views index_html), but keep View forbidden
 for Anonymous (allowed only for foobar role owners).
So it is.
 
 This way, the var tag (which could have been called by Anonymous) will be
 able to see the object, and Zope will authenticate automatically, if this
 is necessary in order to view it.
This doesn't work, because the user it not known in root where the
index_html is,
the user is known in the folder view.

 
 For security reasons, your Image object will not even be found, if the
 caller's role does not have the Access Contents Information permission. I
 find this a good idea and reason.
 
 There is no difference whether you climb to Image using restrictedTraverse,
 the with tag, or directly. All these will have identical results.
 
 If you want to avoid the separate permission settings (because you have a lot
 of Image objects you want to behave like that), either give index_html a
 proxy role that has the Access Contents Information permission on Image
 (or the whole bar folder), or use unrestrictedTraverse in index_html.
 
 hth,
 Danny

as

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Question

2001-11-28 Thread Danny William Adair

 This doesn't work, because the user it not known in root where the
 index_html is,
 the user is known in the folder view.


Sorry.
I think I read your first email a little too fast.

This behavior is normal, and meant to strengthen Zope security.
You are not calling the Image object, index_html is. The user folder will not 
authenticate above. You are calling index_html which is above. 
That's why calling the Image object directly works fine.

If the other way would be possible, you could switch the authenticating 
user_folders and thus sneak into something you weren't allowed to access:

dtml-with folder_where_current_user_is_in_acl_users_and_has_foobar_role
dtml-with folder_next_to_it_where_user_can_access_contents_information
dtml-var some_Image_only_foobar_role_owners_can_view
/dtml-with
/dtml-with

This means showing the bouncer your public library card, instead of (at 
least) your driver's license. Of course it says that you're 21...

By the way, this has nothing to do with the URL. Calling /foo/bar/index_html, 
(hoping for acquisition leaving you with the client object bar), will bring 
the same result. dtml-var Image will _find_ the Image object, but 
index_html (which is still above) will need to show proper permissions.

So you cannot do it this way. Not even unrestrictedTraverse would help you. 
Not even a proxy role, since you would have the same problem with the method 
that holds the proxy role. Where would you put it?

If I understand you right, you want the user to authenticate when trying to 
access index_html, because that's where the protected image will be shown. 
(Or was the question not of practical relevance?)

You either have to move index_html down to where acl_users lies, or the other 
way around.

If you want one universal view image page, which only asks for 
authentication if needed for the image it is supposed to show (and doesn't 
for public images), then call foo/bar/Image/show with show being a method 
on the same level as your current index_html. Another way would be 
redirection.

The third and by far the easiest solution is to use

img src=/foo/bar/Image

in index_html, because then the Image object will be requested directly and 
authenticates itself (on the right level).

I was rebuilding your sample structure, and found something quite annoying, 
that might have to go into the Collecor:

Access contents information looks like it is not sufficient to access image 
objects or their properties.

dtml-var foo.bar.Image.width will need the View permission, which is 
not how this thing works with other object types. As soon as you _access_ an 
image object Zope behaves as if you were trying to render it, but you're not 
(yet).

You might have found a Zope bug here...

Hope this helps,
Danny

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Security

2001-11-20 Thread Magnus Heino


Hi.

Looking at Amos ZPublisher howto,
http://www.zope.org/Members/Amos/ZPublisher

Would it be possible to use the security machinery too?

/Magnus


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] security question

2001-06-16 Thread Shane Hathaway

Tim McLaughlin wrote:
 root has a role called 'User' with 'View' permissions (anonymous is
 disabled) and acl_users has a user called joe.  joe can access objects in
 folder2 according to the permissions set on the root by using acquisition
 like this:
 http://server/folder1/folder2/object1
 joe cannot however, access them directly:
 http://server/folder2/object1
 
 Does this seem strange to anybody else, or have I just been working too
 long?

What version of Zope?  What OS?  Are you using a user folder other than
the stock acl_users?

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] security question

2001-06-15 Thread Tim McLaughlin

It seems to me that a User should not get to keep their roles in the
acquired objects which are above the User Folder in which the user is
defined... However, that does not seem to be true according my testing.

This is what happens.  Imagine a tree like this
root-folder1-acl_users
\folder2-object1


root has a role called 'User' with 'View' permissions (anonymous is
disabled) and acl_users has a user called joe.  joe can access objects in
folder2 according to the permissions set on the root by using acquisition
like this:
http://server/folder1/folder2/object1
joe cannot however, access them directly:
http://server/folder2/object1

Does this seem strange to anybody else, or have I just been working too
long?
_
Tim McLaughlin
iterationZERO - www.iterationzero.com
703-481-2233


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] SECURITY alert and hotfix release

2001-05-01 Thread Chris McDonough

Hello All,

  Dieter Maurer uncovered a potential security issue yesterday that
  necessitated a hotfix release.

  This hotfix addresses an important security issue that affects Zope
  versions up to and including Zope 2.3.2.

  The issue is related to ZClasses in that any user can visit a ZClass
  declaration and change the ZClass permission mappings for methods
  and other objects defined within the ZClass, possibly allowing
  for unauthorized access within the Zope instance.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.3.2 have this hotfix product installed
  to mitigate this issue.

- http://www.zope.org/Products/Zope/Hotfix_2001-05-01/README.txt

-
http://www.zope.org/Products/Zope/Hotfix_2001-05-01/Hotfix_2001-05-01.tgz


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Management

2001-04-15 Thread Chris Withers

Andre Schubert wrote:
 
 But is there a way to find out that the current REQUEST comes from joe
 and joe has no user object in the root acl_users.

If you're doing this because you're worried that Joe won't later be able to view
the protected document, don't worry, Zope will handle that for you ;-)

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Security Management

2001-04-12 Thread Andre Schubert

Hi all,

I have a question on the security system of zope.

First i have a folder called foo in the root with acl_users and a doc
called foo_doc:

root/
bar_doc
foo/
acl_users/
joe
foo_doc

If Anonymous users could'nt view the foo_doc. This means only logged in
users like joe could wie the foo_doc.
Now my question is: When joe is logged in in foo to view the foo_doc,
and after that he view bar_doc he is authenticated as Anonymous in the
bar_doc REQUEST (right??).
But is there a way to find out that the current REQUEST comes from joe
and joe has no user object in the root acl_users.
I played with getSecurityManager, but it doesn't work
Can anybody help please

as


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security Management

2001-04-12 Thread Dieter Maurer

Andre Schubert writes:
  ... direct access to authentication credentials ...
You cannot ask Zope about the user identity because
it does not visit the authenticating user folder
in the described case.

If you use basic authentication (the Zope default), then
you can read "REQUEST._auth" to get the AUTHENTICATION
header content which in turn tells you the user (after
base64 decoding). The leading "_" tells you that there
is no way to access it from DTML or Python Script.
You will need an external method.

If you use cookie authentication, you can look at the cookie.
It may show the username in a readable form.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] SECURITY ALERT and Zope hotfix release [2001-03-08]

2001-03-09 Thread Brian Lloyd

Hello all -

  An issue has come to our attention (thanks to Randy Kern) that
  necessitates a Zope hotfix. Hotfix products can be installed to
  incorporate modifications to Zope at runtime without requiring
  an immediate installation upgrade. Hotfix products are installed
  just as you would install any other Zope product.

  This hotfix (Hotfix_2001-03-08)addresses an important security issue
  that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release.

  The issue involves an error in the 'aq_inContextOf' method of objects
  that support acquisition. A recent change to the access validation
  machinery made this bug begin to affect security restrictions. The bug,
  with the change to validation, made it possible to access Zope objects
  via acquisition that a user would not otherwise have access to. This
  issue could allow users with enough internal knowledge of Zope to
  perform actions higher in the object hierarchy than they should be able
  to.

  We *highly* recommend that any Zope site running Zope 2.3.0 final or any
  alpha or beta version of 2.3.0 or 2.3.1 beta 1 have this hotfix product
  installed to mitigate the issue. Zope 2.3.1 beta 2 will contain a fix for
  the issue, at which time the hotfix can be removed. Zope versions prior
  to 2.3.0 are not affected by this issue.

  - http://www.zope.org/Products/Zope/Hotfix_2001-03-08/README.txt

  -
http://www.zope.org/Products/Zope/Hotfix_2001-03-08/Hotfix_2001-03-08.tgz


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] SECURITY alert and hotfix release...

2001-02-23 Thread Brian Lloyd

Hello All,

  Casey Duncan uncovered a potential security issue today that
  necessitated a hotfix release.

  This hotfix addresses an important security issue that affects Zope
  versions up to and including Zope 2.3.1 b1.

  The issue is related to ZClasses in that a user with through-the-web
  scripting capabilities on a Zope site can view and assign class attributes
  to ZClasses, possibly allowing them to make inappropriate changes to
ZClass
  instances.

  This patch also fixes problems in the ObjectManager, PropertyManager, and
  PropertySheet classes related to mutability of method return values which
  could be perceived as a security problem.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.3.1 b1 have this hotfix product installed
  to mitigate these issues if the site is accessible by untrusted users
  who have through-the-web scripting privileges.

- http://www.zope.org/Products/Zope/Hotfix_2001-02-23/README.txt

-
http://www.zope.org/Products/Zope/Hotfix_2001-02-23/Hotfix_2001-02-23.tgz



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )



[Zope-dev] Security hole in CookieCrumbler

2001-01-30 Thread Shane Hathaway

Hi folks,

It turns out that the released versions of the CookieCrumbler product have
a terrible security hole.  I recommend you uninstall it immediately.

I'm not going to be able to deal with the problem fully today, but if
you're interested in getting a solution right away you can grab today's
PTK from CVS which contains a version of CookieCrumbler without the hole.

Thanks to Phil Harris for finding the problem.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security _does_ work, it's just confusing :-)

2001-01-12 Thread Chris Withers

Answering my own post ;-)
Security does work, and was being applied, it's just still very much
along 'allow by default'.

Chris Withers wrote:

 This class has no __roles__, no __ac_permissions__, no nothing...
 Instances of this class are stored within a special folderish class, Y.

Now the key here was the no __ac_permissions__ thing. Basically, this
meant that default__class_init__ didn't add any roles as it usually
does...

 I thought Zope's security policy had changed to be disallow by default,
 but that really doesn't seem to be the case here :-S

It isn't, if you don't define __ac_permissions__ in any class, Acquiring
or not, you're wide open :-(

The patch is pretty simple:
===
RCS file: /cvs-repository/Zope2/lib/python/App/class_init.py,v
retrieving revision 1.5
diff -r1.5 class_init.py
125a126,131
 
 for name, v in dict.items():
 if not (hasattr(self,'__roles__') or have(name+'__roles__'):
 try: v.__roles__ = []
 except dict[name+'__roles__'] = []
 

...which is quite harsh and simplistic. It's not tested and may have
implications for things like self._properties and the like. But it's
better to have access denied and fix that than not know what's hanging
out, right?

Also, having looked at class_init.py, it appears that if you leave
methods out of __ac_permissions__, they're currently also completely
open, which might be bad :-S (although I think the above patch takes
care of that...)

I guess the 'disallow by default' should really be implemented at the
_checking_ stage, which currently says if you don't have a __roles__
attribute, anyone can do anything, but I understand there were other
implications there. What were they? When will the move to
disallow-by-default take place?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security Machinery doesn't work on some objects?

2001-01-10 Thread Chris Withers

Hi there,

I'm slightly confused by a class I have:

class X(Persistent, Acquisition.Explicit):

This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.

This folderish class has a __bobo_traverse__ which returns X objects,
wrapped in context, from it's self._xs BTree using something along the
lines of:

def __bobo_traverse__(self, REQUEST, name):
ob = getattr(self, name, _marker)
if ob == _marker:
ob = 
return self._xs[name].__of__(self)

Now, it appears no methods or other attributes of this class are
protected by the security machinery, even though the instances involved
are wrapped. The DocString stuff still applies but, once a method has a
docstring, any anonymous user who can traverse to one of these objects,
can execute any method (attributes whinge about a missing docstring, how
bizarre, attepting to traverse to __init__ complains the method starts
with a _ ;-) of that instance which is more than a little disturbing ;-)

I thought Zope's security policy had changed to be disallow by default,
but that really doesn't seem to be the case here :-S
What am I missing out on? Is there some mixin class I need or something
I need to acquire to make the security machinery check these objects?

confusedly and worriedly,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security Permissions

2000-11-27 Thread Andre Schubert

Hi,

i have found the Security Permission below in the Zope Root that are not
definded by myself.

A
D
G
Z
a
d
h
r
s
t

Who can tell me where these Permissions come from?

as


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Security/Acquisition Bug? (take two)

2000-11-12 Thread Charlie Wilkinson

On Sun, Nov 12, 2000 at 11:42:32PM +0100, Dieter Maurer waxed eloquent:
 
 I tried it on my ZopeCVS installation.
 The Python parts are quite new. The C-part is about 2 weeks old.
 
 I can not observe what you describe.
 "/index_html" can be viewed as "Annonymous" without any
 change in permissions.

Hi Dieter,
Thanks for investigating.  I also gave it another try, with the same
results as my previous attempts.  Maybe I'm doing something dumb?
I have followed exactly these steps (as a regular user):

1. mkdir Zope2

2. cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository checkout Zope2

3. cd Zope2

4. python wo_pcgi.py

5. python zpasswd.py -u XX -p XX access

6. Edit start file (for port change and stupid log):

#! /bin/sh
reldir=`dirname $0`
PYTHONHOME=`cd $reldir; pwd`
export PYTHONHOME
exec /usr/bin/python \
 $PYTHONHOME/z2.py -P 9000 \
 -D "$@" STUPID_LOG_FILE=$PYTHONHOME/zope.log

7. ./start 

8. Visit http://www.boinklabs.com:9080/index_html

8. Get BASICAUTH login box...  ??

Box is Redhat 6.0 with updates, Python 1.5.2 from source.  CVS is v1.10.5.
The only bit I left out was setting up the CVS login on a prior occasion:

cvs -d :pserver:[EMAIL PROTECTED]:/cvs-repository login

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Security/Acquisition Bug? (take two)

2000-11-12 Thread Charlie Wilkinson

I should have included this in my previous reply - this is the Zope
error I am getting after failing out of BASICAUTH login:

--
Zope Error

Zope has encountered an error while publishing this resource. 

Unauthorized

You are not authorized to access this resource.

No Authorization header found. 

Traceback (innermost last):
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 222, in publish_module
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 187, in publish
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 162, in publish
  File /share4/Zope2/lib/python/ZPublisher/BaseRequest.py, line 463, in traverse
  File /share4/Zope2/lib/python/ZPublisher/HTTPResponse.py, line 569, in unauthorized
Unauthorized: (see above)
--

Does that provide any (additional) clues?

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security/Acquisition Bug? (take two)

2000-11-10 Thread Charlie Wilkinson

I had posted about this previously, but no one has tackled this one,
it seems to be a pretty serious issue, plus I've done a *lot* of poking
around and learned a few things since I first reported it.  What I have
*not* found (or been told) is that the below described behavior is normal.

First a simple exercise for those who would like to avoid my laborious
novice Zoper description and just ferret out the likely bug:

Create a fresh CVS copy of Zope on your *nix box.  Build it (python
wo_pcgi.py), configure 'start' with the ports of your choosing, set a
superuser password, start Zope and try to visit the /index_html page.

What I'm getting at that point is a BASICAUTH login box.  One has to
explicitly enable anonymous permissions on the index_html page in order
to view it without logging in.  I've read through all the security
model discussion I could find, but saw no discussion of this issue.
If somehow this behavior is intentional, I would greatly appreciate a clue
to that effect.  (Some response either way would be nice, actually...)

Based on my recent flailings with LoginManager and finally, stock
acl_users in Zope v2.2.cvs, it seems there this problem relates to the
"scope" of acl_users and/or its parent folder not including the objects
within.  The security settings of the parent folder are apparently not
regarded in determining access to objects within.  Instead, acl_users is
only impacting its sibling objects (and presumably their child objects).

Apologies if I'm making the wrong noises in the wrong place in the
wrong way.  Any help or pointers welcome.

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security and Acquisition?!

2000-10-25 Thread Chris Withers

Toby Dickenson wrote:

 Zope security is context based: Users can be defined in a subfolder and only
 have access under that folder, they can also be given local roles for a
 given folder. The role:permission mapping is set per-folder. Any security
 aware object needs to know its context.

Yeah, I think I get it now *grumble* *grumble* ;-)

  That said, I think Shane said that Zope security is
  predicated a lot on
  Acquisition. Now, can I get the solution I'm looking for by mixing in
  Aquisition.Explicit, still have the security stuff work and
  not have the
  DisplayClass acquiring attributes I don't want it do?
 
 Yes, you will need to set Acquisition.Acquired for the necessary attributes.

Anyone know what those attributes are?

Maybe someone could knock up a new class in Acquisiton:

Acquisition.SecurityAcquire which does this but is like
Acquisition.Explicit for everything else?

 
 Wanting to make an object non-acquiring may be a danger-sign of some other
 problems. If the correctness of your program depends on the absence of
 certain attributes (acquired or otherwise) then you need to take extra care
 over PropertyManager-like features, which might allow a user to add the
 critical attribute.

Yeah, I know :-S

But these are very specific classes that exist for no longer than the
duration of serving a single page request, and it'd just be nice to know
that they're not going to acquire and fluff they shouldn't...

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security requires Acquisition?!

2000-10-24 Thread Chris Withers

Toby Dickenson and Brian Lloyd wrote:

  list.append(DisplayClass(name,self))
 
list.append(DisplayClass(name,self).__of__(self))
 

 
  class DisplayClass(Globals.Persistent):
 
class DisplayClass(Globals.Persistent, Acquisition.Implicit):

Okay, this did the trick, but I'm not very happy with the result :-(

I don't want the DisplayClass to be acquiring and I don't really see
(from a moral standpoint ;-) why I should need to mix in an Acquisiton
class to make security work :-S

That said, I think Shane said that Zope security is predicated a lot on
Acquisition. Now, can I get the solution I'm looking for by mixing in
Aquisition.Explicit, still have the security stuff work and not have the
DisplayClass acquiring attributes I don't want it do?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security Confusion :-S

2000-10-23 Thread Chris Withers

If anyone can help me with this, it'd give me more faith in the new
security model :-S

Right, I have a Python Product Class (lots of bits left out ;-):

 class MyProduct(OFS.SimpleItem.SimpleItem): 
 """...
 """
 
 __ac_permissions__=(
   ('Use MyProduct' ,('a_method',),('Manager',)),
   )
 
 a_methodisDocTemp=1
 
 def a_method(self,ignored,md):
 list = []
 for name in self.get_contents():
 list.append(DisplayClass(name,self))
 
 return list 

The important bits of DisplayClass look like:

 class DisplayClass(Globals.Persistent):
 """ """
 
 __allow_access_to_unprotected_subobjects__=1
 
 meta_type = 'CaseDisplay'
 
 __ac_permissions__=(
   ('View',('get_name',),('Anonymous',)),
   )

...

 def get_name(self):
 return self._name

Now, I have a DTML method which goes like:

 dtml-with an_instance_of_MyProduct
  dtml-in a_method
   Bdtml-var sequence-item html_quote:/B
   dtml-var get_nameBR
  /dtml-in
 /dtml-with

Which _always_ throws up an authentication box when a_method returns
anything except an empty list. no matter what username or password I
use, that box still appears.

What I would like is for the get_name and a_method methods to be mapped
to permissions so I can manage access to them using the security tab.
How should I do that?

BTW, in an attempt to get the method accessible in _some_ way I have
tried:
- setting __allow_access_to_unprotected_subobjects__=1 in both the
MyProduct and DisplayClass classes.
- setting get_name__roles__=None in the DisplayClass.
- giving every conceivable permission to both the Anonymous and Manager
roles in the folder containing the MyProduct instance

None of which feel like a good way to go, but nevertheless, none of them
worked.
The only way I coudl solve the problem was to give the DTML Method the
'Manager' proxy role, then everything worked fine.
Why is that?
What's _is_ going on?

Confused and Frustrated (isn't that always the way with Zope security?!)

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Security Confusion :-S

2000-10-23 Thread Toby Dickenson

On Mon, 23 Oct 2000 15:59:24 +0100, Chris Withers [EMAIL PROTECTED]
wrote:

(untested hints to follow)


 class MyProduct(OFS.SimpleItem.SimpleItem): 
 """...
 """
 
 __ac_permissions__=(
  ('Use MyProduct' ,('a_method',),('Manager',)),
  )
 
 a_methodisDocTemp=1
 
 def a_method(self,ignored,md):
 list = []
 for name in self.get_contents():
 list.append(DisplayClass(name,self))

   list.append(DisplayClass(name,self).__of__(self))

 
 return list 

The important bits of DisplayClass look like:

 class DisplayClass(Globals.Persistent):

   class DisplayClass(Globals.Persistent, Acquisition.Implicit):


 """ """
 
 __allow_access_to_unprotected_subobjects__=1
 
 meta_type = 'CaseDisplay'
 
 __ac_permissions__=(
  ('View',('get_name',),('Anonymous',)),
  )



Toby Dickenson
[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] security document comments

2000-09-08 Thread R. David Murray

Well, I just tried to post several paragraphs to the security interface
wiki, and netscape reported a proxy problem.  It then ate my posting
instead of giving it back to me when I pressed back.  So I'm going
to try to recreate what I wrote here and hope someone will post it
for me or something.  (If only w3m supported cookies...)

1) "in an anonymous context" made me think first of anonymous users.
I'm really not sure it's a very evocative phrase.  It's really
about manipulating a reference to the object instance itself rather than
calling one of its methods.

2) The doc is great, but I also like 'command reference' type things
where you get the complete syntax and semantics for each method.
If I can only have one doc, I'll take this one, but I can wish
for both grin.

3) Although I've written and worked with python Products (and with
python itself for longer), I really don't know what "subobjects
where the subobject supports the setting of arbitrary attributes"
are.  How about an example of one of those?

4) Having read this doc, I now understand how the current security model
works much better.  I think that indicates that this interface is
definately a move in the right direction in terms of making the
whole thing more understandable and usable.

--RDM


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security Stuff :P (part 3) : the tracebacks

2000-08-22 Thread Chris Withers

Well, what do you know? I leave it for a couple fo hours to set up a
laptop, come back and try again.
It's not hanging anymore, but I'm still getting the errors when I click
cancel:

Chris Withers wrote:
 Posting's objects have a text attribute called 'subject'
 
 Unless you have __allow_access_to_unprotected_subobjects__=1, you get
 the following error after you hit cancel on the authentication dialog
 box that pops up:

Traceback (innermost last):
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in
mapply
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in
call_object
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in
__call__
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 163, in
__call__
(Object: site_header)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: site_header)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line
691, in renderwob
(Object: site_item_list)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_Util.py, line
331, in eval
(Object: subject_image(subject))
(Info: subject)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in
validate
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py,
line 139, in validate
  File
E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: subject

 icon is defined in
 Squishfile as follows:
 
 icon='misc_/Squishdot/squishfile_img'
 
 ...and is protected by the 'View' permission, but you still get the following error:

Traceback (innermost last):
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in
mapply
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in
call_object
(Object: index_html)
  File E:\Zope\2.2.0\lib\python\Products\Squishdot\Squishdot.py, line
1388, in index_html
(Object: RoleManager)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in
__call__
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line
691, in renderwob
(Object: attachment)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in
validate
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py,
line 139, in validate
  File
E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: icon

Any ideas?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Security Strangeness

2000-07-24 Thread Chris Withers

Johan Carlsson wrote:
 First, you can't delegate the permissionto add and delete user except
 by assigning the user the role "manager".
 IMHO this is to limiting.

 Second, if you give a user the permission to Change Persmissions, that
 user can change permissions that she doesn't have the right to manage
 in the first place. In that way she can upgrade here permissions.
 That's no good.

This is a little inflexible isn't it?

Chuck it in the collector I guess... :S

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security Strangeness

2000-07-22 Thread Johan Carlsson


Hi all,
I notised some strange behavior in the way Zope User Folders works.

First, you can't delegate the permissionto add and delete user except 
by assigning the user the role "manager".
IMHO this is to limiting.

Second, if you give a user the permission to Change Persmissions, that
user can change permissions that she doesn't have the right to manage
in the first place. In that way she can upgrade here permissions. 
That's no good.

Best Regards,
Johan Carlsson

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )