Not that I am aware o. On Sun, 5 Oct 2003, Florian Lindner wrote:
Well, some users feel that giving anonymous users the right to send mail is not a good ides (-: Looks like you have this problem resolved!
Is there any way to send emails with the Mailhost except via Scripts?
On Sun, 5 Oct 2003, Florian Lindner wrote:
Hello, I've tracked it down:
msg = context.confirm_subscription.absolute_url() + "?ID=" + str(rnd)
context.MailHost.simple_send(REQUEST.email, "webmaster@centershock.net", "centershocknet: confirmation required", msg) <--
If I uncomment the marked line, it works (the msg=... line is only for a better understanding). When I enable Use mailhost services for anonymous it works! What are the (dangerous) implications of this permission? Why is it not enabled by default? Thanks, Florian
Dennis Allison wrote:
Which Zope are you running. I'd install Shane's Verbose Security Product and use it to track down the protection failure. No protection problem jumps out at me from your precis code.
On Sun, 5 Oct 2003, Florian Lindner wrote:
Dennis Allison wrote:
What does the form action do?
Is sends the form date with post to a script:
<form action="generatePending" method="post">
The script does some checks one the input data:
if REQUEST.name == '':
and calls some SQL-Methods
context.addPendingUser(ID=rnd, name=REQUEST.name, email=REQUEST.email)
At the end it redirects to a confirmation page:
RESPONSE.redirect(context['conf_required.zpt'].absolute_url())
That's about all.
All permissions of all involved objects are set to "Acquired".
Thanks, Florian
On Sun, 5 Oct 2003, Florian Lindner wrote:
>Dennis Allison wrote: > > > >>Look at the security sessions of the root folder from which acquired >>permissions are derived. I suspect that anonymous users don't have the >>necessary permissions. > >All permission are set to Manager, except these, which additionally have >Anonymous set: > >Access Transient Objects >Access contents information >Access session data >Copy or Move (why is this granted to Anons?) >Query Vocabulary >Search ZCatalog >Use Database Methods >View >WebDAV access > >What is wrong/misses? > >Is there anywhere and explantion of what all these permission mean? > >Thanks, >Florian > > > >>On Sun, 5 Oct 2003, Florian Lindner wrote: >> >> >> >> >>>Hello, >>>I've just discovered a strange thing with my (test-)site. I don't know >>>if it was from the beginning, or if I changed something. >>>I'm using CookieCrumbler for authentication. I'm not logged in >>>(Anonymous User). >>>I've a page template with a form. The action attribute of the form >>>refers to python-script-object. But if I submit the script I'm >>>redirected to the login-page (the page set in cookie-crumber). Obviously >>>a anon user doesn't have permissions to execute the script. All >>>permissions are set to acquire, in the objects and in the upper folders. >>>Is this normal? Which permissions do I have to set? >>>The same behavior I've with a page template which just calls a >>>SQL-method and displays (tal:repeat) the results. I've changed no >>>security permissions. >>>Everything works when I'm logged in with a user. >>>What is wrong? > > >
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )