[Zope-CMF] Security problem in CMF
Jeff Coleman
jeff@hi-privacy.net
Tue, 3 Jun 2003 14:41:37 -0500
Hi all,
Should objects in a skin folder IGNORE the security setting of the skin
folder they are in?
Considering how Zope security works with acquisition I think this is a
BIG security problem.
Example:
portal/portal_skins/my_skin/austin/object
If 'View' is set to 'Acquire permission settings?' not checked and
'Anonymous' not checked on the folder 'my_skin', an anonymous user can
still view portal/object.
Thanks,
Jeff