[Zope-CMF] Security problem with CMF 1.2 ?

Tres Seaver tseaver@zope.com
Wed, 30 Jan 2002 07:41:36 -0500 (EST)


On Wed, 30 Jan 2002, Florent Guillaume wrote:

> What workflow is this object using ? Are you sure the workflow sets
> permissions correctly (in particual, disables View when private) ?

Ah, I remember this bug;  the "Classic" type of DCWorkflow
mistakenly grants 'View' when in 'private' state.  Go to the
ZMI of the workflow, select the "Security" tab of the private
state, and remove 'View' from 'Anonymous'.  Then (as Florent
notes), click "Update security settings" on the tool, to permit
the workflow to apply your new settings.

Shane, can you double-check that this is fixed in CVS?

> Also use "Update security settings" in portal_workflow after a
> permission change in a DCWorkflow definition.
>
> Florent
>
> Doyon, Jean-Francois <Jean-Francois.Doyon@CCRS.NRCan.gc.ca> wrote:
> > Hello,
> >
> > I just recently installed CMF 1.2 and Zope 2.5.0 ... All is going well, but
> > now I've noticed a security problem:
> >
> > anonymous users can view "private" content!!!
> >
> > I've changed *NOTHING* to the security settings, except for disabling the
> > public "Join" ... (Add portal member)
> >
> > I checked the settings and "Access future portal content" is NOT assigned to
> > the Anonymous users, but "View" is ... As it should be. This at the root of
> > the zope site, and everything below.
> >
> > This is with the standard CMFDefault/Document.
> >
> > I noticed this when I fell upon a document that should've redirected me to
> > log in, but instead I see it and the actions box says "Status: Private" ...
> > yet I am not logged in ... (Yes I'm sure, since I also see "Log in" :)
>

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com