Dennis Allison wrote:
Suppose I have pages stored in a folder structure rooted at /foo. The view security permission on /foo/... requires an Authenticated User. Normally pages are served from /foo/... under programatic control and additional constraints are applied. But, if the user creates another browser window and if he/she knows the URL (or the root URL) they can move about /foo/... however they want by simply entering the URL into the browser. (This works because they are authenticated and the authentication is shared in the browser.)
So, why is that a problem? You can't stop that with access rules anyway, you can't stop anything with access rules, users can choose to disable them on a whim. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly