Jörn Nettingsmeier wrote:
Josias Thöny wrote:
Hi,
Currently most admin usecases can be executed by a normal (non-admin)
user, because it's possible to call admin usecases in the authoring
area.
You just have to enter:
http://localhost:8888/default/authoring/index.html?lenya.usecase=admin.users
And you can e.g. delete other users :)
Probably we should protect all admin usecases in usecase-policies.xml in
the default publication.
Or should admin usecases only be allowed in the admin area?
let's move to prohibit-by-default for usecases now. i have hacked up
some code to do that, and it looks pretty simple. would be a sure way to
harden the trunk prior to release, and you can't miss anything that way
because anything you miss will get broken...
Would you mind attaching the patch to the bug report?
Thanks!
-- Andreas
--
Andreas Hartmann
Wyona Inc. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
