[EMAIL PROTECTED] wrote on 08/10/2006
> Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300:
> >I have a zope app in a folder and have an exUserFolder in there to
> >authenticate the app's users. The app is working fine and i get
> >authenticated by the exUserFolder and everything works. I tried to
> >delete the single "admin" account (with Manager privileges) from the
> >root standard user folder and the app breaks with:
> >Unauthorized: You are not allowed to access 'call_backend' in this
> >where 'call_backend' is an External Method called by a Python Script.
> >All objects in zope are owned by the "admin". Could this be causing the
> Others already answered "yes".
> I just would like to add that this is due to the "executable owner"
> feature, introduced in Zope 2.2 to make Trojan horse attacks much
> more difficult. You may still be able to find the corresponding
> documentation (maybe even in the Zope Book (2.7 edition on "Plope.org").
I would also add. It is usually a real good idea to put only
admin users in the root folder anyway.
This gives you additional protection from several problems: it makes
database connection methods much harder to see, it protects you from
bugs in add-on acl_user products, it keeps people from doing things
like adding a siteroot to your root folder, and it keeps people out of
The only thing that I can imagine that you would want non admins to have
access to in the root folder is the error_log.
In a large organization, I could see that you would want programmers
who do not have admin rights to be able to see it. That might take some
special handling, but I suspect that you could use a proxy role or
even just set its access to Anonymous (although that may lead to
unintended information leakage).
> Zope maillist - Zope@zope.org
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-dev )
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -