[Zope-PTK] a serious security bug??
matsuda-toshio@fujielectric.co.jp
matsuda-toshio@fujielectric.co.jp
Mon, 10 Jul 2000 20:44:30 +0900 (JST)
Hi,
>>>>> Date: Sun, 09 Jul 2000 20:29:23 -0400
>>>>> Subject: [Zope-PTK] a serious security bug??
>>>>> alanpog@empresa.net(Alan Pogrebinschi) said:
>
> But then, I realized that all the unprivileged members could access and
> successfully modify the "Reconfigure Portal" !!! They can do that by
> following the link "My Stuff", then the "reconfigure portal" links appears
I found the same thing the other day, but It can be avoided as follows:
(1) Open the security tab of <PTK Instance Root>/Members folder.
(2) Reset 'acquire permission setting' of 'Manage Portal' role
Or equivalently, in 'install' method in PTKDemo/Portal.py
after adding 'Members' folder put the following line:
self.Members.manage_permission('Manage portal', ['Manager'])
I hope it will help.
--
Toshio Matsuda