[Zope] non-root managers can remove products
Oleg Broytmann
Oleg Broytmann <phd@mail2.phd.pp.ru>
Fri, 9 Mar 2001 16:08:03 +0300 (MSK)
On Thu, 8 Mar 2001, Randall F. Kern wrote:
> root
> a
> acl_users
> bob, role manager
>
> Now goto http://yourserver.com/a/Control_Panel/manage_main. Log in as
> bob. The page is displayed, and some of the options work, like you can
> remove products.
>
> Is this a bug or a misunderstanding on my part?
It looks like a big security hole in Zope. The problem here is that
Control_Panle should not be acquired. Please report the bug into Collector.
Oleg.
----
Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru
Programmers don't die, they just GOSUB without RETURN.