[Zope-CMF] Re: Security problem with CMF 1.2 ?

Lynn Walton waltonl@franklin.edu
Fri, 01 Feb 2002 08:22:59 -0600


Oops .. sorry I forgot to change the subject from Zope-CMF digest on my last post.

Lynn Walton wrote:

> >
> > > Ah, I remember this bug;  the "Classic" type of DCWorkflow
> > > mistakenly grants 'View' when in 'private' state.
> >
> > Actually I can't see it in the code for any workflow. Isn't this rather
> > a manifestation of http://www.zope.org/Products/PTK/Tracker/410 ?
> >
>
> I reported it to the list on 1/7 as a bug in DCWorkflow that was still present in cvs ver
> 0.4.2.
> It's around line 301 of in     def setupDefaultWorkflowClassic(wf):  of Default.py in
> DCWorkflow ...
>
> after:
>     sdef = wf.states['pending']
>     sdef.setProperties(
>     title='Waiting for reviewer',
>     transitions=('publish', 'reject', 'retract',))
>
> SHOULD BE:
>      sdef.setPermission(p_access, 0, ( r_owner, r_manager, r_reviewer))
>      sdef.setPermission(p_view, 0, ( r_owner, r_manager, r_reviewer))
>
> WAS:
>     sdef.setPermission(p_access, 1, (r_anon,r_manager,r_reviewer))
>     sdef.setPermission(p_view, 1, ( r_anon, r_manager, r_reviewer))
>
> I don't know if it ever made the tracker. I asked if I should put it in ... but didn't
> get any answer. And I'm not confident enough of my Zope Zen to "assume" it's a bug
> without a little confirmation.
>
> Lynn