[Zope] security (edit) problem for ttwtypes
vogel at glue.ch
vogel at glue.ch
Tue Nov 18 05:15:27 EST 2003
I discovered a security problem in my plone/zope installation for every
ttw-type.
environment:
- plone version 1.0.5
- os: windows 2000
- installed products: ttwtype, zopexmlmethods
- created ttwtype 'ttwTypnamesFoo' in folder /myPloneFolder
1) at the root folder of my plone instance, I created a role A with
permissions:
a) Access session data und
b) Access Transient Objects
2) I created user 01 with role A
- correct: the user 01 never gets to see the tab with the edit-action
- that's why on points 3) and 4) the access to the edit-form is done by
typing the url directly in the url-field of the browser.
3) correct:
- if user 01 wants to edit an object of type document (e.g.
/Plone/index_html), the edit-form will be shown, but the user cannot
save it. (-> msg: you are not allowed....)
- url was: http://........../Plone/index_html/portal_form/document_edit_form
4) problem:
- if user 01 wants to edit an object of a ttwtype (e.g.
/myPloneFolderttwTypnamesFoo), the edit-form will be shown, and the user
is ALLOWED to save it!!
- url was:
http://......./myPloneFolder/ttwTypnamesFoo/portal_form/ttw_edit_form
any ideas how I can restrict the edit-and-save-access to my ttwtype objects?
thanks for every input,
david.
More information about the Zope
mailing list