[Zope] AW: [Zope] Problems with manage_clone

sathya linuxcraft@redspice.com
Thu, 6 Apr 2000 00:35:10 -0500


On Wed, 05 Apr 2000, you wrote:
> a.wacknitz@francotyp.com wrote:
> 
> > But isn't this a security hole? I don't want a user who guesses the name of
> > the method to call the method with arbitrary parameters and do things he is
> > not supposed to do...
 If you have your DTML accessible to anon users then sure ,anybody can for
instance view the form source and use http module to execute your scripts.
If you set the right permissions only for valid users then you are
better off. As a thumb rule it is always good to add authorisation check
and other logic to all scripts that update a db. 

 ##########################
 necessity is the 
mother of invention
##########################