22 May
2006
22 May
'06
9:45 p.m.
Cliff Ford wrote at 2006-5-14 23:39 +0100:
... My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation?
Problem verified with Zope 2.9.2 and latest RemoteUserFolder.
That surprises my -- unless the user can create "AccessRule"s: Usually, authentication is performed before any PythonScript is executed. I know only one exception: "AccessRule"s -- Dieter