On 08.02.06 21:38:26, michael nt milne wrote: > Of course I did. Why on earth would you be able to view a front page of a > site when it is labelled as 'authenticated' and also as 'manager' ? just by > pressing cancel or return a few times.
I just checked that with a plain Zope's index_html. I cannot view localhost:8080/ when I change the security setting of index_html to allow View only for authenticated. However I can view it when I authenticate with the initial user information. Now the same thing with a plone site, removed the view-right from front_page I get a screen telling me to authenticate. Not the "box" because Plone normally uses cookie-auth, you should be able to change that in the UserFolder. If I use the initial-user with the cookie-based-form I can see the plone site. Then I removed the View right from the plone-site-object for anonymous and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box, giving it the initial-user-info it lets me view the front_page. > Big security flaw I'm sorry. I wonder why you are the only one experiencing this... Maybe because the error is on your side (or sits in front of your monitor)? And not Zope. > Also > superuser passwords don't work when security is set up and I've tried this > on a couple of set-ups. And this is apart from the usability. What do you mean with superuser? There is no superuser, you have an initial user but that's not a user you'd normally use to login. You add new Users in the user-folder. And what usability problem are you now talking about? Andreas -- Reply hazy, ask again later. _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
