Michael Vartanyan wrote:
In the very beginning of my Zope career, I once "shot myself in the
foot" with a very stupid thing... I kept it to myself then but if we are
talking about Zope security settings and usability of the ZMI at the
same time, perhaps it is an ideal place to raise this issue.
If you use the famous manage_access page with all the checkboxes to set
permissions on an object, it then calls manage_changePermissions to
using POST method to apply your settings. The result is that
http://your_object_url/manage_changePermissions (without any parameters)
stays in your browser visited url history. Now imagine what happens if
you click this url by mistake being logged as someone with "Change
permissions" permission.
I guess changing the form method to GET is not going to be liked by
browsers that put additional restrictions on URL length. So I would
propose to introduce a basic request sanity check in the
manage_changePermissions itself. I cannot think of any use for resetting
all permissions and acquisition for everyone, so the easiest way to do
that is to simply check that at least something exists in the form:
...
def manage_changePermissions(self, REQUEST):
"""Change all permissions settings, called by management screen.
"""
>> if len(REQUEST.form)<2: raise ...
self._isBeingUsedAsAMethod(REQUEST, 0)
valid_roles=self.valid_roles()
indexes=range(len(valid_roles))
have=REQUEST.has_key
permissions=self.ac_inherited_permissions(1)
fails = []
...
or something like that.
Actually the proper way to do it, and for exactly the reasons you outlined
above, is to always do a redirect to a "result page" url after a POST that
has side effects. It's even mandated by the HTTP/HTML specs.
Florent
--
Florent Guillaume, Nuxeo (Paris, France) Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
_______________________________________________
Zope maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
