Re[2]: [Zope-CMF] Permission problem with type actions

Rainer Thaden Rainer Thaden <thadi@gmx.de>
Mon, 14 Jul 2003 13:28:29 +0200


Hi Dieter,

this was a STUPID USER bug.
Seems as if my browser took an old page from the cache, so the URL
which directly accessed the view was visible to me :-(

I advised Opera always to look if there's an updated page but that
didn't seem to work.
So forget about this.

DM> Rainer Thaden wrote at 2003-7-9 16:20 +0200:
DM>  > i have some Filesystem based classes in CMF which have a View, edit
DM>  > form and edit action.
DM>  > When an instance of such a class is private and i try to access the
DM>  > url of the instance as anonymous i get a login prompt.
DM>  > But when i append the name of the action (etc. url/edit_form) i can
DM>  > access it as anonymous.

DM> You probably hit a security hole...

DM> I expect the following:

DM>   The workflow just captures "View" (therefore, you are unable
DM>   to view the object when it is private).

DM>   The object itself is however probably protected by
DM>   "Access contents information" which seems not captured
DM>   by the workflow.
DM>   As a consequence, the template can read and render
DM>   the object content.

DM>   Please file a bug report.


DM> A fix would be to capture "Access contents information" as well
DM> and define the permission-role mapping as for "View".



DM>  > In the types tool there is a permission 'modify portal content' set to
DM>  > this action.

DM> This only control the display of the action.
DM> It has not effect whatsoever on a request that directly addresses
DM> the corresponding URL.


DM> Dieter



-- 
Gruß,
 Rainer                            mailto:thadi@gmx.de