25 Aug
2001
25 Aug
'01
10:15 p.m.
Kyler B. Laird writes:
Looking around on Zope.org, I realized that this might already be addressed. Is there anything that prevents me (as a Zope community member with authoring privileges on zope.org) from luring users who have already authenticated with Zope.org to come look at my pages, and then running arbitrary commands with their privileges? Starting with Zope 2.2, the effective permissions are the intersection of that of the current user and that of the executable's owner. That implies, the authors cannot do thinks by highjacking visitors.
Dieter