Maybe this is how it's supposed to work, but I'm not sure. root a acl_users bob, role manager Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as bob. The page is displayed, and some of the options work, like you can remove products. Is this a bug or a misunderstanding on my part? -Randy
On Thu, 8 Mar 2001, Randall F. Kern wrote:
root a acl_users bob, role manager
Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as bob. The page is displayed, and some of the options work, like you can remove products.
Is this a bug or a misunderstanding on my part?
It looks like a big security hole in Zope. The problem here is that Control_Panle should not be acquired. Please report the bug into Collector. Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as bob. The page is displayed, and some of the options work, like you can remove products.
Is this a bug or a misunderstanding on my part?
It looks like a big security hole in Zope. The problem here is that Control_Panle should not be acquired. Please report the bug into Collector.
FYI - I'm looking at this now. What I know so far is that it is definitely wrong and that it only affects 2.3.x (2.2.5 and earlier are ok). Stay tuned. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
participants (3)
-
Brian Lloyd -
Oleg Broytmann -
Randall F. Kern