[Zope-dev] Zope security alert and 2.2 information

[Anthony Baxter]

>>> "R. David Murray" wrote
> My perception is that w3m is a browser that only passes auth
> info when requested.  If I'm looking at a management screen,
> and I click on a link that takes me to 'manage_workspace' for
> that object, Zope responds as if I am not authenticated.  If I
> explicitly type in the URL with 'manage_main', then I get the
> management screen.  I'm *guessing* that manage_workspace somehow
> does not require 'view management screens' permission but
> 'manage_main' does.

This is a bug in w3m. Once you've been prompted, you're meant to
keep sending the auth info. I'd dig out the RFC reference, but I
can't be bothered right now :)

manage_workspace is a magic method that redirects you to the default
page _for your role_. If w3m doesn't send the auth info, then it will
send the default page for the unauthenticated user.

You can also see this in netscape &c when bringing up the two pane
view - if the left hand menu frame is slower to load, the right hand
one will load first and will render the unauthenticated user's view
of the top level page.

In the past the w3m author's been more than happy to fix bugs in his
browser - mail him and ask?

Anthony
-- 
Anthony Baxter     <anthony@interlink.com.au>   
It's never too late to have a happy childhood.