[Zope] Re: [Zope-dev] possible security flaw? - and, request
for a phone conference. conference.
Brian Lloyd
Brian@digicool.com
Thu, 8 Jun 2000 09:48:10 -0400
> > Basically, if a user with manager privileges to a folder changes
> > their
> > password to be empty, then anyone (from permitted domains)
> can access the
> > management screen for that folder Without Logging On...
> Zope assumes that
> > you are the user without the password and treats you as if
> you have those
> > rights.
>
> This is a feature, but I don't know if or where it is
> documented besides
> the source code (which is a bug if it isn't I guess).
You're right - it is a feature. You are also right that it isn't
documented anywhere that I can find :( I would suggest adding
this to the Collector (as a 'Documentation Request').
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com