[Zope] Re: Mailhost expects different security settings indifferentfolders

Lennart Regebro regebro at nuxeo.com
Wed Jan 28 05:45:20 EST 2004


From: "Andreas Tille" <tillea at rki.de>
> On my live system I define certain roles in the /Influenza folder and
> some users who get these roles (but not the 'Manager' role!).  They
> are perfectly able to send mails without beeing 'Manager' and there is
> certainly no reason to have this role just to send mails.

If that is the only role who has the 'Use mailhost services' permission in
the root, it is. And that is the default setting. And since you define your
roles lower than where MailHost is located, you can't set that permission on
these roles either. Maybe if you set "Authenticated" so it had 'Use mailhost
services' it might work. I'm not sure if you are "Authenticated" above where
you are created.

Do on no accounts give the right to "Anonymous". If you do people can use
your system to send spam. I don't think this has ever actually happened with
Zope and MailHost, but it it theoretically possible. Similar exploits have
been used with some infamous PHP scripts.






More information about the Zope mailing list