[Zope-dev] Bugs in Zope Membership Component 0.8.0b1

Bill Anderson bill@libc.org
Fri, 23 Feb 2001 01:42:07 -0700


Dirksen wrote:

> Hi Bill,
> 
> All PythonScripts in ZMC 0.8.0b1 look like a direct port from Python Methods, so I found
> some bugs due to the incompatibility between these two version of scripts.
> 
> 1. In 'passwordForm', 'import string' should be added.\

for those watching, it is actually genPasswordForm  :)

> 2. In 'passwordPolicy', 'self' should be ommited in the parameters list.
yup

> 3. 'register', I think, should be proxy to 'Manager', like the original version.

done

 
> There's another bug: anonymous user can access account's manageMe method! Say if there's
> an account 'dummy', anyone can open 'www.dumy.com/test/acl_users/dummy/manageMe'. I think
> the permission to view 'manageMe' should be hooked up to that of viewing management
> screen. I see that you have made some special arrangements in the 'Define Permission' tab
> of 'Portal Member' ZClass definition, but that doesn't seem to protect its instance,
> which is a puzzle to me: what's the use to define permissions in ZClass definition or
> products?

Even better, changing the permissions on the method in the ZClass don't seem to propogate to existing entries, 
but do to new ones ...ohh, wait, damned browser caching ... 
 Ugh, must get some sleep.

Bill