On 08.02.06 21:38:26, michael nt milne wrote:
Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times.
I just checked that with a plain Zope's index_html. I cannot view localhost:8080/ when I change the security setting of index_html to allow View only for authenticated. However I can view it when I authenticate with the initial user information. Now the same thing with a plone site, removed the view-right from front_page I get a screen telling me to authenticate. Not the "box" because Plone normally uses cookie-auth, you should be able to change that in the UserFolder. If I use the initial-user with the cookie-based-form I can see the plone site. Then I removed the View right from the plone-site-object for anonymous and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box, giving it the initial-user-info it lets me view the front_page.
Big security flaw I'm sorry.
I wonder why you are the only one experiencing this... Maybe because the error is on your side (or sits in front of your monitor)? And not Zope.
Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability.
What do you mean with superuser? There is no superuser, you have an initial user but that's not a user you'd normally use to login. You add new Users in the user-folder. And what usability problem are you now talking about? Andreas -- Reply hazy, ask again later.