Cliff Ford wrote at 2006-5-14 23:39 +0100: > ... >My problem is that I figured out how a user who has permission to create >python scripts (might work with dtml and page templates too) could >access otherwise forbidden content by making calls that pretend to come >from another user. Has any one else come across this problem and devised >a solution, either in software or organisation? > >Problem verified with Zope 2.9.2 and latest RemoteUserFolder.
That surprises my -- unless the user can create "AccessRule"s: Usually, authentication is performed before any PythonScript is executed. I know only one exception: "AccessRule"s -- Dieter _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )