Personal tools

Navigation

You are here: Home / Members / jhb / old blog entries / zope_security_observations

zope_security_observations

by Jörg Baach — last modified Feb 16, 2006 10:19 AM

Findings about zopes security mechanism

* You can raise a string "Unauthorized" to create a 401 Error
* The user you get via sm.getUser reflects the login/password passed
by the browser, not the
user actually needed - that means that a script can be accessible
by 'view', and still can raise
an 401 from inside
* The security declarations are made within the class of the
objects, usually on the instances
as well as on methods - via security.declareProtected

Questions:

* Whats the purpose of __ac_permissions, as found in PropertyTools

Add comment

You can add a comment by filling out the form below. Plain text formatting.

Name

Comment

Captcha

Question: What is 42 minus 19?
Your answer:

Updates...: thunderbird grey background for text messages May 12, 2018; A problem with neo4j's db.schema()? Apr 25, 2018; neo4j full text indexing - limited to 32k Mar 20, 2017; Installing python buildout with readline Feb 25, 2017; Fonts on Ubuntu - revamped Jan 24, 2017; plone: removing (portlet)renderers from the cache Jun 02, 2015; A comparison of five ebook readers Nov 29, 2014; neo4j performance compared to graphagus Oct 07, 2014; Embed pdf viewer in firefox (29+) using mozplugger May 19, 2014; Development with cordova / phonegap Feb 19, 2014; more…