Re: [Zope] Security issues
--On Sonntag, 1. Mai 2005 13:02 Uhr +0100 cla [EMAIL PROTECTED] wrote: Hi! Im developing a portal using, zope and i had been some problems with the security of some template pages that I have created. Those pages are accesible just puting the correct path in the url, even if they are only for manager access. I have already try the security tabs that are associated to witch document, but with no sucess. What can i do to resolve this big problem. You have add security assertion to file based templates through .metadata files. If foo.pt is your template then create a file foo.pt.metadata containing: [security] View=0:Manager Means that the View permission is only granted to Managers and that the permission is not acquired (same the corresponding flag in the ZMI). -aj ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security issues
thanks for your help! but is there any way to define this permission to the folder that contain the many pages templates that i want to restrict the use? afecting the parent(folder) we affect also the children(document) instead of defining for all template pages this rules. thanks a lot.. Citando Andreas Jung [EMAIL PROTECTED]: --On Sonntag, 1. Mai 2005 13:02 Uhr +0100 cla [EMAIL PROTECTED] wrote: Hi! Im developing a portal using, zope and i had been some problems with the security of some template pages that I have created. Those pages are accesible just puting the correct path in the url, even if they are only for manager access. I have already try the security tabs that are associated to witch document, but with no sucess. What can i do to resolve this big problem. You have add security assertion to file based templates through .metadata files. If foo.pt is your template then create a file foo.pt.metadata containing: [security] View=0:Manager Means that the View permission is only granted to Managers and that the permission is not acquired (same the corresponding flag in the ZMI). -aj SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos! Vá agora a : http://messenger.sapo.pt/sms/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] security issues
I will soon have a Zope-site ready to go online. How can I make shure that I did everything (concerning Zope) to stop intruders? Where can I find information about protecting a Zope-site? Has anyone had security problems so far? Easiest (most brutal?) fix I've found - hide Zope behind an Apache, and prohibit access to any URLs of the form .*/manage.* This is what I'm doing at the moment (more or less) but your question made me think. Actually this is an example of "allow anything that isn't explicitly denied" which is not a very good policy if you want security. I remember (but - darn - can't remember where I have it) a posting that said that anyone can easily see the names of all objects in a folder which is nice intelligence gathering. I guess it would be much better (and even more brutal;) to deny everything that isn't allowed explicitly. I'll try that later. I think I'll have to allow .*_html and .*_img for the http protocol plus all the .*/manage.* stuff for https and perhaps also make some (not so secure) restrictions based on ip adresses. --Ragnar ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] security issues
Ragnar Beer wrote Howdy everyone! I will soon have a Zope-site ready to go online. How can I make shure that I did everything (concerning Zope) to stop intruders? Where can I find information about protecting a Zope-site? Has anyone had security problems so far? Easiest (most brutal?) fix I've found - hide Zope behind an Apache, and prohibit access to any URLs of the form .*/manage.* If you don't need to use basic auth to the Zope, then use a rewrite rule to strip out any Authentication headers in the requests. Anthony ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
