[Zope] A bug in Membership product? (member password can be revealed by dtml method accessible by anonymous)

Dirksen dirksen_lau@yahoo.com
Wed, 3 Jan 2001 18:36:35 -0800 (PST)


Hi Bill,

A dtml method with these lines:

<dtml-with "acl_users.getItem('z')">
<dtml-var password>
</dtml-with>

will show the password, despite that the methode is accessible by anonymous. Members in
my site is allowed to use dtml method. How can I prevent them from reading others'
properties?

Dirksen

__________________________________________________
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/