RE: [Zope] Folder and SQL security
George, Hi... please continue to respond to the list... Did you clear the acquire permissions settings checkbox for all the permissions in the "wholesale" folder? Does it make any difference? How are you testing this? Are you sure that you aren't logged in as "george" when you visit the wholesale folder? (e.g. are you stopping and restarting the browser to test this?) I am about one quarter through '6-1-Security.stx'. I printed all 41 pages. I also printed the security chapter form the ZB so I am trying to learn. It's just that at the moment I need a quick fix. Here is my case in detail: My site is located in the folder 'okstudio'. The 'root' folder also contains a user folder and me as the only user. I am the manager of the site(and the superuser). Several subfolders under folder 'okstudio' contain files that can be accessed by anyone. All subfolders except for one have the same security settings - 'view and access contents'. I also have an sql method that I use with in and /in to embed data from my database in to HTML. The security settings of that method are - 'view, access contents information and use database methods'. There is one subfolder called 'wholesale' that should have restricted access. No viewing without authorisation. That folder will contain info for customers only that should not be seen by anyone else. I created a user subfolder in that folder where I listed myself as a 'manager'. I also took every permission from 'anonymous' so theoretically 'anonymous' should not be able to view the content of that folder. I also created 'index_html' DTML document and took all the permissions from anonymous there. I am still how ever able to view the index_html as anonymous without any authorisation. My question is: Is there a way how to make sure that no one unauthorised gets to see any of the contents of 'wholesale' folder??? Regards, George -Original Message- From: Chris McDonough [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 5 September 2000 10:08 To: George Osvald Cc: [EMAIL PROTECTED] Subject: RE: [Zope] Folder and SQL security On Tue, 5 Sep 2000, George Osvald wrote: My sql works now and security is satisfactory so thank you. The only thing that remains in question is that one subfolder. I created a user folder inside, set all the security and it does not do what I want. I want to restrict any access including viewing for nobody. Only authorised customers would be able to view the page. After turning off all the security options though I am still able to view the pages as nobody. How do I prevent that? Do you have "acquire permissions" set on all the permissions of the folder? Have you tried turning it off? This may be a wild goose chase because I'm sort of guessing at your problem. Your message has generalizations like "that one subfolder" (what subfolder? what are its settings?), "set all the security" (how?), "does not do what I want" (what do you want? exactly how does it fail, can you give a concrete example?) and "the page" (what page?). It'd be helpful to define these, because as much as I try, I can't read minds. :-) HTH, C George wrote: Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders? Sure... for general security information see both http://www.zope.org/Members/michel/ZB (the Zope book security chapter, mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security chapter mostly finished). Any changes seem to have no effect at all. can you be more specific? I am especially wandering about setting for anonymous user. I'd like to give them only 'viewing' privilege but that does not work. How doesn't it work? The site is not functional at all and asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. Yes, "access contents information" is equivalent to allowing the user to list the objects in an object manager. It's given to anonymous by default most of the time, and is probably required for most operations. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. This should have nothing to do with 'access contents information'. There should be permissions available to restrict the use of sql methods. Have you seen them? What do I have to do to allow anonymous viewers to just view the site Give them "view" and "access contents information" permissions. Depending on the products you've got installed and the operations you want the
RE: [Zope] Folder and SQL security
On Tue, 5 Sep 2000, George Osvald wrote: My sql works now and security is satisfactory so thank you. The only thing that remains in question is that one subfolder. I created a user folder inside, set all the security and it does not do what I want. I want to restrict any access including viewing for nobody. Only authorised customers would be able to view the page. After turning off all the security options though I am still able to view the pages as nobody. How do I prevent that? Do you have "acquire permissions" set on all the permissions of the folder? Have you tried turning it off? This may be a wild goose chase because I'm sort of guessing at your problem. Your message has generalizations like "that one subfolder" (what subfolder? what are its settings?), "set all the security" (how?), "does not do what I want" (what do you want? exactly how does it fail, can you give a concrete example?) and "the page" (what page?). It'd be helpful to define these, because as much as I try, I can't read minds. :-) HTH, C George wrote: Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders? Sure... for general security information see both http://www.zope.org/Members/michel/ZB (the Zope book security chapter, mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security chapter mostly finished). Any changes seem to have no effect at all. can you be more specific? I am especially wandering about setting for anonymous user. I'd like to give them only 'viewing' privilege but that does not work. How doesn't it work? The site is not functional at all and asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. Yes, "access contents information" is equivalent to allowing the user to list the objects in an object manager. It's given to anonymous by default most of the time, and is probably required for most operations. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. This should have nothing to do with 'access contents information'. There should be permissions available to restrict the use of sql methods. Have you seen them? What do I have to do to allow anonymous viewers to just view the site Give them "view" and "access contents information" permissions. Depending on the products you've got installed and the operations you want the users to be able to carry out, you may need to give them other permissions. (keep in mind that I am using a couple of zsql methods for embedding of data in my html) I also want to have one of the sub folders not accessible to any one but me. Can you help anyone? Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Folder and SQL security
On Mon, 4 Sep 2000, George wrote: asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. What do I have to do to allow Chris may have pointed you in the right direction, but depending on the complexity of what you are doing you may also need to learn about using proxy roles. This allows you to write a dtml-method that an anonymous user can call, where the dtml-method can accessed privileged functions. Since you control the method code, you thereby control the security of that access and can limit it to just what you need to make the site functional. --RDM ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Folder and SQL security
George wrote: Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders? Sure... for general security information see both http://www.zope.org/Members/michel/ZB (the Zope book security chapter, mostly finished) and http://www.zope.org/Members/mcdonc/PDG (security chapter mostly finished). Any changes seem to have no effect at all. can you be more specific? I am especially wandering about setting for anonymous user. I'd like to give them only 'viewing' privilege but that does not work. How doesn't it work? The site is not functional at all and asks for the password even for the viewing. Then I enable 'access the content' and the site works as long as I do not try to use sql. Yes, "access contents information" is equivalent to allowing the user to list the objects in an object manager. It's given to anonymous by default most of the time, and is probably required for most operations. When I how ever enable 'use sql methods' permission they can access my database, delete and add entries to it. This should have nothing to do with 'access contents information'. There should be permissions available to restrict the use of sql methods. Have you seen them? What do I have to do to allow anonymous viewers to just view the site Give them "view" and "access contents information" permissions. Depending on the products you've got installed and the operations you want the users to be able to carry out, you may need to give them other permissions. (keep in mind that I am using a couple of zsql methods for embedding of data in my html) I also want to have one of the sub folders not accessible to any one but me. Can you help anyone? Regards, George ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Folder and SQL security
Hi George ! Please check what Chris wrote too but I can answer this: Security in ZOPE is very puzzling. If I have certain rules set for the root folder, can I set something different for the sub folders? It's as simple as having a separate Acl_users in those folders that you need to have different security for. Say your site is: / (root) /department1 /department2 /subdept1 /subdept2 /department3 ...and you want a common security model except for subdept2. So you tweak the acl_users in the / (root) as you want and *only in subdept2* you create another acl_users and tweak that as well. Hope this helps, Dimitris http://www.zope.org/Members/dandraka ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )