Skip to content. | Skip to navigation

Personal tools

Navigation

You are here: Home / Members / jhb / old blog entries / zope_security_observations

zope_security_observations

by Jörg Baach last modified Feb 16, 2006 10:19 AM
Findings about zopes security mechanism

* You can raise a string "Unauthorized" to create a 401 Error
* The user you get via sm.getUser reflects the login/password passed
by the browser, not the
user actually needed - that means that a script can be accessible
by 'view', and still can raise
an 401 from inside
* The security declarations are made within the class of the
objects, usually on the instances
as well as on methods - via security.declareProtected

Questions:

* Whats the purpose of __ac_permissions, as found in PropertyTools

Add comment

You can add a comment by filling out the form below. Plain text formatting.

Question: What is 42 minus 19?
Your answer: