Andreas Hartmann wrote:
Jörn Nettingsmeier wrote:
Josias Thöny wrote:
Hi,
Currently most admin usecases can be executed by a normal (non-admin)
user, because it's possible to call admin usecases in the authoring
area.
You just have to enter:
http://localhost:8888/default/authoring/index.html?lenya.usecase=admin.users
And you can e.g. delete other users :)
Probably we should protect all admin usecases in usecase-policies.xml in
the default publication.
Or should admin usecases only be allowed in the admin area?
let's move to prohibit-by-default for usecases now. i have hacked up
some code to do that, and it looks pretty simple. would be a sure way to
harden the trunk prior to release, and you can't miss anything that way
because anything you miss will get broken...
Would you mind attaching the patch to the bug report?
done.
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
