22 Nov
2001
22 Nov
'01
3:18 p.m.
Ragnar Beer wrote:
Thanks a lot! I was trying to grep 'Access_contents_information' and didn't find a lot. Now I know that anyone can e.g. access propertyItems which is quite a bad thing in this case :(
Ragnar
Yes, you're right. One thing to note is that there is another security measure. In old zopes (<= 2.1.6 IIRC) it was for instance possible to go to http://zopeserver/objectIds to get that list, which doesn't work nowadays, although anonymous has "Access contents information" rights. I wonder why propertyItems doesn't do the same. cheers, oliver