[Zope] Security question concerning DTML Method

oliver.erlewein@sqs.de oliver.erlewein@sqs.de
Wed, 17 Apr 2002 10:32:43 +0200 (MET DST)


Hi Zopistas

I've got a question whether this is the correct behaviour...

I give somebody the right to add "Documents, Images and Files" and don't give him the right to "Change DTML Method". Then I login as that user and I get DTML Method in the drop down list(already peculiar) and when I select it I can create a DTML Method AND upload a file to it!!!! Although when I try to change the DTML Method then I get a login window asking me to login (That's OK). So I can't change anything afterwards but I can upload what I want.

This is somehow a quite drastic security breach in my humble opinion. Maybe it would help splitting the Add Right in three parts?!

Regards Oliver

Oh and if someone needs the exact information please contact me and I'll send it but it's a little too much for the maillist. ;-))