[Zope-CMF] Security Bug in CMF???

Andrew Sawyers andrew@zope.com
Mon, 24 Sep 2001 09:34:29 -0700


Marc,
In the portal_workflow of your cmf root, look at the security tab for the
publish transition.  It's assigning view on the transition to anonymous;
just remove that security setting for the transition and update the security
per tres; this should fix your problem.
Andrew
> But now I have an additional question according those security settings.
> If I now create an object the "view" permission is not assigned to members
> anymore :-). But if I publish this item, the "view" and "access contents
> information" permission are assigned to "anonymous users", too!!! ***
second
> problem ***.
>
> Instead of this, those permissions should now be assigned to members.
>
> Thats not really a problem with content like documents or news, because
the
> standard_html_header is not accessible by anonymous users and so the
document
> is not accessible, too.
> But for example a file object could be downloaded by an anonymous user!!!
>
> Hopefully you could help me in this case, too. (Or somebody else)
> What is responsible for this setting?
>
> Cheers,
> Marc
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
>
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests
>