Fred Yankowski wrote at 2004-9-14 17:36 -0500:
... So I logged in to the ZMI as a non-admin Manager user and tried to take ownership of the portal_skins folder (and all content below it). That resulted in Insufficient Privileges too. The error_log entry had this:
Unauthorized: manage_takeOwnership was called from an invalid context
That method requires the HTTP_REFERER value from the request to do its work. (Why? Is that really to be trusted?) I typically access sites via a proxy (junkbuster) that removes the HTTP_REFERER header and so I was hosed.
A long time ago, there has been a discussion how to make management operations a bit safer. One proposal has been to accept management actions only when they come from the same site. Apparently, someone followed the proposal in the implementation of "manage_takeOwnership". I doubt that is was a good idea. -- Dieter