[Zope-CMF] Security problem with CMF 1.2 ?

Doyon, Jean-Francois Jean-Francois.Doyon@CCRS.NRCan.gc.ca
Wed, 30 Jan 2002 08:58:45 -0500


Hello,

Thanks to both of you, this seems to have done it!

I guess I will allways have to do this anytime I do any security changes ?

In my case I'm not using DCWorkflow ... just the default workflow tool.  All
I did was simple go in and hit the "Update security settings", I didn't even
touch anything else!

One thing now is that when accessing the document, the user gets a "You are
not authorized to access this resource. No Authorization header found.",
instead of being redirected to the login form ...

In my case, this is actually good, since I don't want anonymous users to
ever be given even the idea they could log into the site :)

But I'm just wondering why this is ahppeneing, and where I control this
behavior from?

Thanks again for the help!
J.F.

-----Original Message-----
From: Tres Seaver [mailto:tseaver@zope.com]
Sent: Wednesday, January 30, 2002 7:42 AM
To: Florent Guillaume
Cc: zope-cmf@zope.org; shane@zope.com
Subject: Re: [Zope-CMF] Security problem with CMF 1.2 ?


On Wed, 30 Jan 2002, Florent Guillaume wrote:

> What workflow is this object using ? Are you sure the workflow sets
> permissions correctly (in particual, disables View when private) ?

Ah, I remember this bug;  the "Classic" type of DCWorkflow
mistakenly grants 'View' when in 'private' state.  Go to the
ZMI of the workflow, select the "Security" tab of the private
state, and remove 'View' from 'Anonymous'.  Then (as Florent
notes), click "Update security settings" on the tool, to permit
the workflow to apply your new settings.

Shane, can you double-check that this is fixed in CVS?

> Also use "Update security settings" in portal_workflow after a
> permission change in a DCWorkflow definition.
>
> Florent
>
> Doyon, Jean-Francois <Jean-Francois.Doyon@CCRS.NRCan.gc.ca> wrote:
> > Hello,
> >
> > I just recently installed CMF 1.2 and Zope 2.5.0 ... All is going well,
but
> > now I've noticed a security problem:
> >
> > anonymous users can view "private" content!!!
> >
> > I've changed *NOTHING* to the security settings, except for disabling
the
> > public "Join" ... (Add portal member)
> >
> > I checked the settings and "Access future portal content" is NOT
assigned to
> > the Anonymous users, but "View" is ... As it should be. This at the root
of
> > the zope site, and everything below.
> >
> > This is with the standard CMFDefault/Document.
> >
> > I noticed this when I fell upon a document that should've redirected me
to
> > log in, but instead I see it and the actions box says "Status: Private"
...
> > yet I am not logged in ... (Yes I'm sure, since I also see "Log in" :)
>

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com


_______________________________________________
Zope-CMF maillist  -  Zope-CMF@zope.org
http://lists.zope.org/mailman/listinfo/zope-cmf

See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests