Hi Zopistas I've got a question whether this is the correct behaviour... I give somebody the right to add "Documents, Images and Files" and don't give him the right to "Change DTML Method". Then I login as that user and I get DTML Method in the drop down list(already peculiar) and when I select it I can create a DTML Method AND upload a file to it!!!! Although when I try to change the DTML Method then I get a login window asking me to login (That's OK). So I can't change anything afterwards but I can upload what I want. This is somehow a quite drastic security breach in my humble opinion. Maybe it would help splitting the Add Right in three parts?! Regards Oliver Oh and if someone needs the exact information please contact me and I'll send it but it's a little too much for the maillist. ;-))
oliver.erlewein@sqs.de writes:
I give somebody the right to add "Documents, Images and Files" and don't give him the right to "Change DTML Method". Then I login as that user and I get DTML Method in the drop down list(already peculiar) and when I select it I can create a DTML Method AND upload a file to it!!!! Although when I try to change the DTML Method then I get a login window asking me to login (That's OK). So I can't change anything afterwards but I can upload what I want.
This is somehow a quite drastic security breach in my humble opinion. Maybe it would help splitting the Add Right in three parts?! I do not see a security breach:
Everything happens as the chosen permission terms suggest. You can add Methods (as "Documents") but you cannot change them. If you need fined grained security, make your own subclasses and protect them as you feel they should be protected. Dieter
participants (2)
-
Dieter Maurer -
oliver.erlewein@sqs.de