[Zope-CMF] Security issue in CMF 1.0/1.1

[Shane Hathaway]

Volodymyr Cherepanyak wrote:
> Any "private" content type can be viewed by anonymous user, after typing
> it URL in browser input (i.e. site/New_Document/view).

More precisely, content in unprotected folders is currently
unprotected.  Content in protected folders is protected.  This is not a
security issue.

> Is this a bug, or I am missing something? I think private document
> shouldn't be viewable by anybody except owner/manager.

Please read what I wrote to Brad Clements last night at 10:15 PM.

Shane