[Zope-PTK] a serious security bug??

Alan Pogrebinschi alanpog@empresa.net
Sun, 9 Jul 2000 20:29:23 -0400

I just installed PTK from CVS on a Zope 2.2b3/Linux.

The first thing I did was to add some users, members w/o any privilege. I
was un-logged when adding them, and used the Portal interface ('Join'). So I
just emulated an user adding herself the standard PTK way.

But then, I realized that all the unprivileged members could access and
successfully modify the "Reconfigure Portal" !!! They can do that by
following the link "My Stuff", then the "reconfigure portal" links appears
and is editable (and changes do commit). This is a serious security flaw and
I believe other parts of PTK may be affected by it. Or is it a more general
Zope problem?

I have checked the acl-user folder and those members have only a "Member"
role. I have also checked the security tab and Members do not have that kind
of access enabled.

Anyone who wants to try with my own installation can go to
http://br.fm/Zope/pteste and "Join".

Am I missing something?? Or is it a security problem?