[Zope-PTK] a serious security bug??

matsuda-toshio@fujielectric.co.jp matsuda-toshio@fujielectric.co.jp
Mon, 10 Jul 2000 20:44:30 +0900 (JST)


>>>>> Date: Sun, 09 Jul 2000 20:29:23 -0400
>>>>> Subject: [Zope-PTK] a serious security bug??
>>>>> alanpog@empresa.net(Alan Pogrebinschi) said:
> But then, I realized that all the unprivileged members could access and
> successfully modify the "Reconfigure Portal" !!! They can do that by
> following the link "My Stuff", then the "reconfigure portal" links appears

I found the same thing the other day, but It can be avoided as follows:

(1) Open the security tab of <PTK Instance Root>/Members folder.
(2) Reset 'acquire permission setting' of 'Manage Portal' role

Or equivalently, in 'install' method in PTKDemo/Portal.py
after adding 'Members' folder put the following line:

self.Members.manage_permission('Manage portal', ['Manager'])

I hope it will help.

Toshio Matsuda