Cliff Ford wrote at 2006-5-14 23:39 +0100:
> ...
>My problem is that I figured out how a user who has permission to create 
>python scripts (might work with dtml and page templates too) could 
>access otherwise forbidden content by making calls that pretend to come 
>from another user. Has any one else come across this problem and devised 
>a solution, either in software or organisation?
>Problem verified with Zope 2.9.2 and latest RemoteUserFolder.

That surprises my -- unless the user can create "AccessRule"s:

  Usually, authentication is performed before any
  PythonScript is executed.

  I know only one exception: "AccessRule"s

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to