[Zope-CMF] Security problem in CMF

Jeff Coleman jeff@hi-privacy.net
Tue, 3 Jun 2003 14:41:37 -0500


Hi all,

Should objects in a skin folder IGNORE the security setting of the skin
folder they are in?
Considering how Zope security works with acquisition I think this is a
BIG security problem.

Example:
portal/portal_skins/my_skin/austin/object

If 'View' is set to 'Acquire permission settings?' not checked and
'Anonymous' not checked on the folder 'my_skin', an anonymous user can
still view portal/object.

Thanks,
Jeff