[Zope-dev] Zope security alert and 2.2 information

[R. David Murray]

On 12 May 2000, Kent Polk wrote:
> Some browsers *do* only pass authentication info when the server
> requests it.  We discovered this a couple of years ago when
> experimenting with the newly-developed domain authentication that
> I asked to be implemented in userfolders with Principia.

Unless I'm badly mistaken, the standard Zope management interface
has a problem with this.

My perception is that w3m is a browser that only passes auth
info when requested.  If I'm looking at a management screen,
and I click on a link that takes me to 'manage_workspace' for
that object, Zope responds as if I am not authenticated.  If I
explicitly type in the URL with 'manage_main', then I get the
management screen.  I'm *guessing* that manage_workspace somehow
does not require 'view management screens' permission but
'manage_main' does.

What are other browsers that have this behavior?  I'd like to test
my theory...

If I'm right, is this a bug in Zope?

--RDM