On Wed, 7 Jun 2000, Jon Franz wrote:
Basically, if a user with manager privileges to a folder changes their password to be empty, then anyone (from permitted domains) can access the management screen for that folder Without Logging On... Zope assumes that you are the user without the password and treats you as if you have those rights.
This is a feature, but I don't know if or where it is documented besides the source code (which is a bug if it isn't I guess). The blank password feature is normally combined with the domain limitation feature to allow connections from a given network to automatically attach with various permissions (such as a trusted that pushes data into the ZODB - this method avoids having to keep a password in plaintext around on your filesystem). -- Stuart Bishop Work: zen@cs.rmit.edu.au Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au Computer Science, RMIT University