[Zope-CMF] Security problem with CMF 1.2 ?
Florent Guillaume
fg@nuxeo.com
Wed, 30 Jan 2002 12:34:30 +0000 (UTC)
What workflow is this object using ? Are you sure the workflow sets
permissions correctly (in particual, disables View when private) ?
Also use "Update security settings" in portal_workflow after a
permission change in a DCWorkflow definition.
Florent
Doyon, Jean-Francois <Jean-Francois.Doyon@CCRS.NRCan.gc.ca> wrote:
> Hello,
>
> I just recently installed CMF 1.2 and Zope 2.5.0 ... All is going well, but
> now I've noticed a security problem:
>
> anonymous users can view "private" content!!!
>
> I've changed *NOTHING* to the security settings, except for disabling the
> public "Join" ... (Add portal member)
>
> I checked the settings and "Access future portal content" is NOT assigned to
> the Anonymous users, but "View" is ... As it should be. This at the root of
> the zope site, and everything below.
>
> This is with the standard CMFDefault/Document.
>
> I noticed this when I fell upon a document that should've redirected me to
> log in, but instead I see it and the actions box says "Status: Private" ...
> yet I am not logged in ... (Yes I'm sure, since I also see "Log in" :)
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com