9 Mar
2001
9 Mar
'01
2:46 p.m.
Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as bob. The page is displayed, and some of the options work, like you can remove products.
Is this a bug or a misunderstanding on my part?
It looks like a big security hole in Zope. The problem here is that Control_Panle should not be acquired. Please report the bug into Collector.
FYI - I'm looking at this now. What I know so far is that it is definitely wrong and that it only affects 2.3.x (2.2.5 and earlier are ok). Stay tuned. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com