[Zope-CMF] Security issue in CMF 1.0/1.1

Shane Hathaway shane@digicool.com
Tue, 12 Jun 2001 06:24:55 -0400


Volodymyr Cherepanyak wrote:
> Any "private" content type can be viewed by anonymous user, after typing
> it URL in browser input (i.e. site/New_Document/view).

More precisely, content in unprotected folders is currently
unprotected.  Content in protected folders is protected.  This is not a
security issue.

> Is this a bug, or I am missing something? I think private document
> shouldn't be viewable by anybody except owner/manager.

Please read what I wrote to Brad Clements last night at 10:15 PM.

Shane