[Zope-CMF] Security Bug in CMF???

[Marc Fischer]

> Marc Fischer wrote:
> 
> > Hello, 
> > 
> > I have a big Problem with the excluding of anonymous people from my CMF
> > Site. I really hope that someone of you is able to give me a hint!
> ...pleassseeee
> > :-)
> > 
> > So, I want to forbit an anonymous access to my CMF Site. That's it! Now
> the
> > problem:
> > 
> > I followed the hints on cmf.zope.org:
> > 
> > 1. I unchecked the "aquire permission settings" of "access contents
> > informations" for the portal and only assigned it to managers and
> members.
> > 
> > 2. I did the same for the "view" permission. 
> > 
> > 3. Then I made the login_form accessible for anonymous users, so that
> they
> > are able to log in!
> > 
> > So far so good. Now the problem:
> > 
> > If a member creates for example a new document, there appears an error
> in
> > the security settings of this document. Although it is still in private
> state
> > the view permission of this object is assigned to members, too!!! That's
> a big
> > bug!!!
> > If I undo point 2. from above this error does not appear. 
> 
> 
> In order to let portal members view the main part of the site, but
> not any unpublished content, you want the workflow to adjust the
> permission-role bindings on the object to remove "View" permission
> >from the member role until the object is "published".
> 
> The default workflow is supposed to do this, but wasn't tested in the
> "members only" configuration you describe: I just reproduced your
> problem on a stock site,
> 
> As an immediate workaround, install DCWorkflow 0.4
> (http://cmf.zope.org/Members/hathawsh/DCWorkflow-0.4.tar.gz) or
> >from CVS;  replace the 'default_workflow' object in 'portal_workflow'
> with an instance (named 'default_workflow') of the "classic" workflow.
> It does the Right Thing on a "members-only" site.
> 
> You will need to click the "Update security settings" button on the
> "Workflows" tab of the 'portal_workflow' tool to "fix up" you private
> content.
> 
> This "workaround" has the additional benefit of making the workflow
> itself customizable, should you discover a need for such modification.
> 

Thank you very much. This was a very helpful hint!!!
My described bug does disappear :-)

But now I have an additional question according those security settings.
If I now create an object the "view" permission is not assigned to members
anymore :-). But if I publish this item, the "view" and "access contents
information" permission are assigned to "anonymous users", too!!! *** second
problem ***. 

Instead of this, those permissions should now be assigned to members.

Thats not really a problem with content like documents or news, because the
standard_html_header is not accessible by anonymous users and so the document
is not accessible, too. 
But for example a file object could be downloaded by an anonymous user!!!

Hopefully you could help me in this case, too. (Or somebody else)
What is responsible for this setting?

Cheers, 
Marc

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net