[Zope-PTK] a serious security bug??
Mon, 10 Jul 2000 20:44:30 +0900 (JST)
>>>>> Date: Sun, 09 Jul 2000 20:29:23 -0400
>>>>> Subject: [Zope-PTK] a serious security bug??
>>>>> firstname.lastname@example.org(Alan Pogrebinschi) said:
> But then, I realized that all the unprivileged members could access and
> successfully modify the "Reconfigure Portal" !!! They can do that by
> following the link "My Stuff", then the "reconfigure portal" links appears
I found the same thing the other day, but It can be avoided as follows:
(1) Open the security tab of <PTK Instance Root>/Members folder.
(2) Reset 'acquire permission setting' of 'Manage Portal' role
Or equivalently, in 'install' method in PTKDemo/Portal.py
after adding 'Members' folder put the following line:
self.Members.manage_permission('Manage portal', ['Manager'])
I hope it will help.