Josias Thöny wrote: > Hi, > > Currently most admin usecases can be executed by a normal (non-admin) > user, because it's possible to call admin usecases in the authoring > area. > > You just have to enter: > http://localhost:8888/default/authoring/index.html?lenya.usecase=admin.users > > And you can e.g. delete other users :) > > Probably we should protect all admin usecases in usecase-policies.xml in > the default publication. > Or should admin usecases only be allowed in the admin area?
let's move to prohibit-by-default for usecases now. i have hacked up some code to do that, and it looks pretty simple. would be a sure way to harden the trunk prior to release, and you can't miss anything that way because anything you miss will get broken... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
