RE: [Zope] Authentication, Anonymous and Public
Title: RE: [Zope] Authentication, Anonymous and Public Brian, here are the steps to recreate: Caveat: Anonymous is unrestricted at the root level 1) Create a folder 2) Remove inherited (acquired) rights for all attributes 3) Add a user to the folder 4) Give the user the manager role 5) Access the root level using a restarted (clean) browser to confirm accessibility 6) Access the new folder created in (1). You should be prompted to login. 7) Login using the new user account 8) Now try to access the root level again. You should be prompted for a password. (you may need to reload the page) Alan Capesius, MCSE Technical Support Engineer Sysmex Corporation of America [EMAIL PROTECTED]
Re: [Zope] Authentication, Anonymous and Public
Brian Lloyd wrote: > Can you give me a scenario that shows the problem so > that I can reproduce it? (walk me through what objects > to create, what permissions to give, how to try to > access them). This should be done with standard built-in > User/UserFolders if possible. http://lists.zope.org/pipermail/zope-dev/2000-March/003970.html I've lost the .zexp but you might be able to UU-unencode it from the archive. If not, let me know and I'll try and re-create it, that said, I think the steps I took to create it are described in the mail... cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Authentication, Anonymous and Public
> > A user that does not log in, i.e. a user you know nothing of,
> > gets the "Anonymous" role automatically (at least with "acl_users").
> > A logged in user may not get the "Anonymous" role.
> >
> > This does not provide additional security, because this
> > user may simply shut down his browser and access the page again
> > as anonymous user.
> > On the other hand, it may result in surprises: suddenly (after
> > a log on) I can no longer do things that I was able to do
> > before the log on.
> >
> > I think, this should be changed.
>
> I agree, and I've said so, many times before ;-)
>
> Chris
Guys -
I'm looking at the security code, and the intent is
that if 'Anonymous' is in the roles required to access
an object, the user is allowed (even though he may not
have been given the 'Anonymous' role explicitly).
This appears to be the case both in 2.1.x and the new
2.2.x security policy - I've been trying to replicate
the problem you are referring to but I must be missing
something. My test case was:
o create a user 'test', giving him only 'test_role'
o create a dtml document object with default security
(anonymous has 'View' permission)
o give users with 'test_role' 'View mgmt screens' on
the dtml document.
o in a new browser, visit doc/manage to force login
as 'test' with 'test_role'
o try to view the doc normally ('View' is only given
to anonymous), which works as expected
Can you give me a scenario that shows the problem so
that I can reproduce it? (walk me through what objects
to create, what permissions to give, how to try to
access them). This should be done with standard built-in
User/UserFolders if possible.
Thanks!
Brian Lloyd[EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere(was :Re: [Zope] Authentication, Anonymous and Public)
Stuart Bishop wrote: > or in BasicUserFolder. Either way it should go in the collector. Issue 1391, or in a slightly different phrasing, Issue 467 cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere(was :Re: [Zope] Authentication, Anonymous and Public)
On Sun, 2 Jul 2000, Dieter Maurer wrote: > Chris Withers writes: > > Dieter Maurer wrote: > > > In Zope, each user has a set of roles. > > > Any user has the "Anonymous" role. Log-in users may have > > > additional roles. > > > > I'm not convinced this is true... > The Content Manager Guide (Security, Authorization) states it > this way: > > The "Anonymous" role, which all users have implicitly, Ahh... I thought I saw this somewhere. Either a bug in the documentation, or in BasicUserFolder. Either way it should go in the collector. Since few (if any) of the user folders use this, it may be best handled in the Zope source if it is decided that it isn't a documentation error. -- Stuart Bishop Work: [EMAIL PROTECTED] Senior Systems Alchemist Play: [EMAIL PROTECTED] Computer Science, RMIT University ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
Dieter Maurer wrote: > A user that does not log in, i.e. a user you know nothing of, > gets the "Anonymous" role automatically (at least with "acl_users"). > A logged in user may not get the "Anonymous" role. > > This does not provide additional security, because this > user may simply shut down his browser and access the page again > as anonymous user. > On the other hand, it may result in surprises: suddenly (after > a log on) I can no longer do things that I was able to do > before the log on. > > I think, this should be changed. I agree, and I've said so, many times before ;-) Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
Stuart Bishop writes: > On Fri, 30 Jun 2000, Dieter Maurer wrote: > > In Zope, each user has a set of roles. > > Any user has the "Anonymous" role. Log-in users may have > > additional roles. > > > > Thus, what you see, should not happen. > > Users, by default, are not granted the 'Anonymous' role. If you > explicity grant the Anonymous role to your users you will get the behaviour > you want. Let's discuss whether this is useful. A user that does not log in, i.e. a user you know nothing of, gets the "Anonymous" role automatically (at least with "acl_users"). A logged in user may not get the "Anonymous" role. This does not provide additional security, because this user may simply shut down his browser and access the page again as anonymous user. On the other hand, it may result in surprises: suddenly (after a log on) I can no longer do things that I was able to do before the log on. I think, this should be changed. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
On Fri, 30 Jun 2000, Dieter Maurer wrote: > Capesius, Alan writes: > > I'm running into a problem after implementing jcNTUserFolder in a > > subfolder of my site. Users can access the root level or particular > > subfolders anonymously. Once a user accesses the protected > > NTUserFolder, the credentials are saved in the browser. If the user > > then returns to the anonymous area, they can no longer access th > > folder due to the browser credentials. > > > > Does Zope have a mechanism equivalent to the Novell NDS Public access? > > that is to say: > > > > Anonymous = not authenticated. > > Everyone = authenticated users (that are members of the group) > > Public = authenticated and anonymous users. > > In Zope, each user has a set of roles. > Any user has the "Anonymous" role. Log-in users may have > additional roles. > > Thus, what you see, should not happen. Users, by default, are not granted the 'Anonymous' role. If you explicity grant the Anonymous role to your users you will get the behaviour you want. Earlier than current versions of GUF automatically did this, but I changed it in the later releases after I saw the error pointed our by Ty or Phillip - this may be a source of some confusion. This email live from drizzly Queensland :-( -- Stuart Bishop Work: [EMAIL PROTECTED] Senior Systems Alchemist Play: [EMAIL PROTECTED] Computer Science, RMIT University ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Every user should have the Anonymous role everywhere (was :Re: [Zope] Authentication, Anonymous and Public)
Dieter Maurer wrote: > > > In Zope, each user has a set of roles. > > > Any user has the "Anonymous" role. Log-in users may have > > > additional roles. > > > > I'm not convinced this is true... > The Content Manager Guide (Security, Authorization) states it > this way: > > The "Anonymous" role, which all users have implicitly, ...and check out the last time the Content Manager's Guide was updated ;-) Seriously, though, I think this SHOULD be true, although I'm pretty sure it isn't. > This is natural, too. > Why should a registered user have > less authorization than an anonymous one. Or, to put it another way, just because an acl_users folder doesn't know anything about a user, why should that user not have the anonymous role? > Thus, two reasons to change the Zope authorization, such > that each user has implicitely the "Anonymous" role, > if this is not the case now. I totally agree :-) Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Every user should have the Anonymous role everywhere (was :Re: [Zope] Authentication, Anonymous and Public)
Chris Withers writes: > Dieter Maurer wrote: > > In Zope, each user has a set of roles. > > Any user has the "Anonymous" role. Log-in users may have > > additional roles. > > I'm not convinced this is true... The Content Manager Guide (Security, Authorization) states it this way: The "Anonymous" role, which all users have implicitly, This is natural, too. Why should a registered user have less authorization than an anonymous one. Thus, two reasons to change the Zope authorization, such that each user has implicitely the "Anonymous" role, if this is not the case now. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Every user should have the Anonymous role everywhere (was :Re: [Zope]Authentication, Anonymous and Public)Authentication, Anonymous and Public)
Dieter Maurer wrote: > In Zope, each user has a set of roles. > Any user has the "Anonymous" role. Log-in users may have > additional roles. I'm not convinced this is true... Quoting from the LoginManager CHANGES.TXT file: > Generic User Source, like the GenericUserFolder product it was inspired by, > gave all users the Anonymous role. This seems to be incorrect according to > what other user folders do, including the standard Zope version, so GUS now > no longer does this. ...which is why Alan experiences this problem. I've also run into it just using a normal acl_users folder and I've been mentioning every few months since I bumped into it back in March. Here's my opriginal post: http://zope.nipltd.com/public/lists/dev-archive.nsf/ByKey/82AE22A20C7E88AE I wish this could get sorted out as it makes security a nightmare unless you use a web of local roles, which is painful and messy to maintain. Is there any reason why every user shouldn't have the anonymous role for every accessible page/object/thing visitable through a protocol? cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Authentication, Anonymous and Public
I thought the same. Perhaps the use of NT User causes this? Since the browser has the credentials to authenticate to NT and the higher folders are not aware of the NT User Folder... Seems the only solutions are to use the NT User Folder at the root level. Thanks > > -- > > From: Dieter Maurer[SMTP:[EMAIL PROTECTED]] > > Sent: Friday, June 30, 2000 4:40:26 PM > > To: Capesius, Alan > > Cc: [EMAIL PROTECTED] > > Subject:Re: [Zope] Authentication, Anonymous and Public > > Auto forwarded by a Rule > > > Capesius, Alan writes: > > I'm running into a problem after implementing jcNTUserFolder in a > > subfolder of my site. Users can access the root level or particular > > subfolders anonymously. Once a user accesses the protected > > NTUserFolder, the credentials are saved in the browser. If the user > > then returns to the anonymous area, they can no longer access th > > folder due to the browser credentials. > > > > Does Zope have a mechanism equivalent to the Novell NDS Public access? > > that is to say: > > > > Anonymous = not authenticated. > > Everyone = authenticated users (that are members of the group) > > Public = authenticated and anonymous users. > > In Zope, each user has a set of roles. > Any user has the "Anonymous" role. Log-in users may have > additional roles. > > Thus, what you see, should not happen. > > > Dieter > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Authentication, Anonymous and Public
Capesius, Alan writes: > I'm running into a problem after implementing jcNTUserFolder in a > subfolder of my site. Users can access the root level or particular > subfolders anonymously. Once a user accesses the protected > NTUserFolder, the credentials are saved in the browser. If the user > then returns to the anonymous area, they can no longer access th > folder due to the browser credentials. > > Does Zope have a mechanism equivalent to the Novell NDS Public access? > that is to say: > > Anonymous = not authenticated. > Everyone = authenticated users (that are members of the group) > Public = authenticated and anonymous users. In Zope, each user has a set of roles. Any user has the "Anonymous" role. Log-in users may have additional roles. Thus, what you see, should not happen. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
