jamesd@mena.org.au wrote at 2003-3-27 11:39 +1000:
I have a Zope server running with two instances of plone, "Plone1" and "Plone2". plone2 is a demo site with a user "Demo" having the role 'Manager' available to the public. plone1 is a regular plone site.
If I log in to plone2 as the user Demo, then go to the following url: http://my.server/plone2/plone1 The permissions are acquired from the demo site giving full Manager access to my main plone site. This is obviously a serious problem.
Zope tries hard to prevent access to protected objects defined outside of the folder governed by the "acl_users" that authenticated the user. You may have found a hole... Please file a "security related" collector report to <http://collector.zope.org/Zope>. Dieter