[Zope-CMF] Permission problem with type actions

Dieter Maurer dieter@handshake.de
Wed, 9 Jul 2003 20:50:14 +0200


Rainer Thaden wrote at 2003-7-9 16:20 +0200:
 > i have some Filesystem based classes in CMF which have a View, edit
 > form and edit action.
 > When an instance of such a class is private and i try to access the
 > url of the instance as anonymous i get a login prompt.
 > But when i append the name of the action (etc. url/edit_form) i can
 > access it as anonymous.

You probably hit a security hole...

I expect the following:

  The workflow just captures "View" (therefore, you are unable
  to view the object when it is private).

  The object itself is however probably protected by
  "Access contents information" which seems not captured
  by the workflow.
  As a consequence, the template can read and render
  the object content.

  Please file a bug report.


A fix would be to capture "Access contents information" as well
and define the permission-role mapping as for "View".



 > In the types tool there is a permission 'modify portal content' set to
 > this action.

This only control the display of the action.
It has not effect whatsoever on a request that directly addresses
the corresponding URL.


Dieter