Re: [Zope] no accounts in root user folder?
On 8/10/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: This gives you additional protection from several problems: [..snip..] it protects you from bugs in add-on acl_user products Unless you installed PlonePAS which for some obscure reason insists on replacing the root acl_users folder with a PlonePAS instance as well. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] no accounts in root user folder?
Yes, you must never delete an account that owns ZODB objects. Stefan On 10. Aug 2006, at 09:58, Vangelis Mihalopoulos wrote: where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the admin. Could this be causing the problem? -- Anything that, in happening, causes something else to happen, causes something else to happen. --Douglas Adams ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] no accounts in root user folder?
Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300: I have a zope app in a folder and have an exUserFolder in there to authenticate the app's users. The app is working fine and i get authenticated by the exUserFolder and everything works. I tried to delete the single admin account (with Manager privileges) from the root standard user folder and the app breaks with: Unauthorized: You are not allowed to access 'call_backend' in this context where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the admin. Could this be causing the problem? Others already answered yes. I just would like to add that this is due to the executable owner feature, introduced in Zope 2.2 to make Trojan horse attacks much more difficult. You may still be able to find the corresponding documentation (maybe even in the Zope Book (2.7 edition on Plope.org). -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] no accounts in root user folder?
[EMAIL PROTECTED] wrote on 08/10/2006 02:02:28 PM: Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300: I have a zope app in a folder and have an exUserFolder in there to authenticate the app's users. The app is working fine and i get authenticated by the exUserFolder and everything works. I tried to delete the single admin account (with Manager privileges) from the root standard user folder and the app breaks with: Unauthorized: You are not allowed to access 'call_backend' in this context where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the admin. Could this be causing the problem? Others already answered yes. I just would like to add that this is due to the executable owner feature, introduced in Zope 2.2 to make Trojan horse attacks much more difficult. You may still be able to find the corresponding documentation (maybe even in the Zope Book (2.7 edition on Plope.org). I would also add. It is usually a real good idea to put only admin users in the root folder anyway. This gives you additional protection from several problems: it makes database connection methods much harder to see, it protects you from bugs in add-on acl_user products, it keeps people from doing things like adding a siteroot to your root folder, and it keeps people out of the Control_Panel. The only thing that I can imagine that you would want non admins to have access to in the root folder is the error_log. In a large organization, I could see that you would want programmers who do not have admin rights to be able to see it. That might take some special handling, but I suspect that you could use a proxy role or even just set its access to Anonymous (although that may lead to unintended information leakage). jim penny -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
