26 May
2007
26 May
'07
4:47 a.m.
Hi Lukas,
If I remove permission for a page to be viewed, the user can still see
it if he has that page embedded in another.
I suggest that this be fixed in order that an embedded forbidden page
just renders as an empty string.
This makes a way of making user/group specific layout elements, or notices.
cheers
Keith
26 May
26 May
9:40 a.m.
Hi Keith,
If I remove permission for a page to be viewed, the
user can still see
it if he has that page embedded in another.
thanks, this is a severe security leak. If one page is editable,
users are basically able to view any page by embedding it.
I suggest that this be fixed in order that an embedded
forbidden page
just renders as an empty string.
Please try, it should fix this issue:
Name: Pier-All-lr.205
Author: lr
Time: 26 May 2007, 9:35:56 am
UUID: 99c2c998-0eee-407a-821b-5a9a0488b9ec
Ancestors: Pier-All-lr.204
Dependencies: Pier-Model-lr.152, Pier-Tests-lr.69, Pier-Seaside-lr.
169, Pier-OmniBrowser-lr.24, Pier-Security-lr.80, Pier-Blog-lr.55
This makes a way of making user/group specific layout
elements, or
notices.
Btw, I changed the way environments worked a few days ago. What
environment should be used is now a setting of page, not necessary a
child called 'environment' anymore. In my opinion this makes the use
of environments much simpler and less error prone. Maybe that would
be a good topic for a blog post someday ...
Cheers,
Lukas
--
Lukas Renggli
http://www.lukas-renggli.ch
6420
days inactive
6420
days old
1 comments
2 participants
participants (2)
-
Keith Hodges -
Lukas Renggli