Cliff Ford wrote at 2006-5-14 23:39 +0100:
>My problem is that I figured out how a user who has permission to create
>python scripts (might work with dtml and page templates too) could
>access otherwise forbidden content by making calls that pretend to come
>from another user. Has any one else come across this problem and devised
>a solution, either in software or organisation?
>Problem verified with Zope 2.9.2 and latest RemoteUserFolder.
That surprises my -- unless the user can create "AccessRule"s:
Usually, authentication is performed before any
PythonScript is executed.
I know only one exception: "AccessRule"s
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -