[Zope-CMF] Bug in zpt_generic

Kent Polk kent@goathill.org
Tue, 23 Apr 2002 10:52:07 -0500 (CDT)

 Heimo wrote:

> Using CMF 1.3 beta and noticed that if I set in a subfolder security 
> in a way that Access content information is not on, the Folder is 
> still visible to the anonymous user in the index_html of the parent 
> directory.
> If the user tries to access the directory, then he is forced to login...

This also existed in 1.2 under the conditions I mentioned with the
'Securing CMF with Page Templates' bug that I mentioned a little
while back.

A directory listing should most likely not provide information
concerning objects one does not have permission to access (this is
not a filesystem and it is certainly good practice to hide such
information as a precursor to actually protecting it and would be
more consistent with the CMF's notion of information hiding). And
when one does have permission to view an object, its attributes
should be accessible whether one views those attributes via a folder
listing or from the object's own methods.

It currently doesn't behave either of these two ways.