[Zope-CMF] Security Bug in CMF???

Tres Seaver tseaver@zope.com
Mon, 24 Sep 2001 08:27:45 -0400 

Marc Fischer wrote:

> Hello, 
> 
> I have a big Problem with the excluding of anonymous people from my CMF
> Site. I really hope that someone of you is able to give me a hint! ...pleassseeee
> :-)
> 
> So, I want to forbit an anonymous access to my CMF Site. That's it! Now the
> problem:
> 
> I followed the hints on cmf.zope.org:
> 
> 1. I unchecked the "aquire permission settings" of "access contents
> informations" for the portal and only assigned it to managers and members.
> 
> 2. I did the same for the "view" permission. 
> 
> 3. Then I made the login_form accessible for anonymous users, so that they
> are able to log in!
> 
> So far so good. Now the problem:
> 
> If a member creates for example a new document, there appears an error in
> the security settings of this document. Although it is still in private state
> the view permission of this object is assigned to members, too!!! That's a big
> bug!!!
> If I undo point 2. from above this error does not appear. 


In order to let portal members view the main part of the site, but
not any unpublished content, you want the workflow to adjust the
permission-role bindings on the object to remove "View" permission
from the member role until the object is "published".

The default workflow is supposed to do this, but wasn't tested in the
"members only" configuration you describe: I just reproduced your
problem on a stock site,

As an immediate workaround, install DCWorkflow 0.4
(http://cmf.zope.org/Members/hathawsh/DCWorkflow-0.4.tar.gz) or
from CVS;  replace the 'default_workflow' object in 'portal_workflow'
with an instance (named 'default_workflow') of the "classic" workflow.
It does the Right Thing on a "members-only" site.

You will need to click the "Update security settings" button on the
"Workflows" tab of the 'portal_workflow' tool to "fix up" you private
content.

This "workaround" has the additional benefit of making the workflow
itself customizable, should you discover a need for such modification.



-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com