[Zope-CMF] Re: How to make your CMF portal "Members Only"

[Ausum Studio]

----- Original Message -----
From: "Ben Gustafson" <cbg3@earthlink.net>
>
> I'm not sure I follow where the potential security issue comes into play.
If
> an unauthenticated visitor attempts to access any method other than the
> login_form, including those using ZPT instead of DTML (see steps 3 and 4),
> they are redirected to the login_form method. How is that a security
issue?

I might have pointed out that my concern was related to DTML-based CMF
sites. Unless a method is deliberately restricted, it will be available by
default to anonymous users, no matter they are within a CMF object.
This is the same when you render standard_html_footer - for example - out of
its page context, unless it retrieves protected content. And  if, by any
means, you tweaked the proxy roles of some of those methods, you may also be
exposing that protected content.





Ausum