[Zope] protecting users from hostile authors
Dieter Maurer
dieter@handshake.de
Sun, 26 Aug 2001 00:15:16 +0200 (CEST)
Kyler B. Laird writes:
> Looking around on Zope.org, I realized that this
> might already be addressed. Is there anything
> that prevents me (as a Zope community member
> with authoring privileges on zope.org) from
> luring users who have already authenticated with
> Zope.org to come look at my pages, and then
> running arbitrary commands with their
> privileges?
Starting with Zope 2.2, the effective permissions are the
intersection of that of the current user and that of the
executable's owner. That implies, the authors cannot do
thinks by highjacking visitors.
Dieter