It is common knowledge that we can restrict access 
to an object by taking away many of the permissions 
from the security manager in the ZMI.  Especially
in the case of some objects like Oracle database
connections, you don't want other people to be
able to snag your "connect string" which contains
username and password information.

However, if a user has access to any folder on the
system, they can programatically (and in some
cases use the ZMI) copy the objects to anohter
location.  For example, if a user can view the
management screens in a folder, they can copy an 
object, paste it to another location, give his
self Manager local roles, and then view the "connect
string".  This works basically for every object.

The problem is the CopySupport._canCopy method,
which always returns 1 (true).  It looks like this
should be overridden for special products, but the
base functionality should do some basic
permission checking to determine if the object is
copyable or should be copied.

Below is a diff for OFS/CopySupport which adds a
check to _canCopy to look for the "Access contents
information" permission.  


    Christopher N. Deckard      |     Lead Web Systems Developer
      [EMAIL PROTECTED]        |    Engineering Computer Network
  http://www.ecn.purdue.edu/    |         Purdue University 
---- zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') ---

--- CopySupport.py.orig Wed May  1 14:59:46 2002
+++ CopySupport.py      Wed May  1 15:02:34 2002
@@ -382,7 +382,9 @@
     def _canCopy(self, op=0):
         """Called to make sure this object is copyable. The op var
         is 0 for a copy, 1 for a move."""
-        return 1
+        if self.REQUEST.AUTHENTICATED_USER.has_permission('Access contents 
+information', self):
+            return 1
+        return 0
     def _notifyOfCopyTo(self, container, op=0):
         """Overide this to be pickly about where you go! If you dont

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to