Hi, It is common knowledge that we can restrict access to an object by taking away many of the permissions from the security manager in the ZMI. Especially in the case of some objects like Oracle database connections, you don't want other people to be able to snag your "connect string" which contains username and password information.
However, if a user has access to any folder on the system, they can programatically (and in some cases use the ZMI) copy the objects to anohter location. For example, if a user can view the management screens in a folder, they can copy an object, paste it to another location, give his self Manager local roles, and then view the "connect string". This works basically for every object. The problem is the CopySupport._canCopy method, which always returns 1 (true). It looks like this should be overridden for special products, but the base functionality should do some basic permission checking to determine if the object is copyable or should be copied. Below is a diff for OFS/CopySupport which adds a check to _canCopy to look for the "Access contents information" permission. -Chris -- -------------------------------------------------------------------- Christopher N. Deckard | Lead Web Systems Developer [EMAIL PROTECTED] | Engineering Computer Network http://www.ecn.purdue.edu/ | Purdue University ---- zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') --- --- CopySupport.py.orig Wed May 1 14:59:46 2002 +++ CopySupport.py Wed May 1 15:02:34 2002 @@ -382,7 +382,9 @@ def _canCopy(self, op=0): """Called to make sure this object is copyable. The op var is 0 for a copy, 1 for a move.""" - return 1 + if self.REQUEST.AUTHENTICATED_USER.has_permission('Access contents +information', self): + return 1 + return 0 def _notifyOfCopyTo(self, container, op=0): """Overide this to be pickly about where you go! If you dont _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )