Submitted by : JózsefJároli at: 2007-06-21T04:36:58-07:00 (10 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

If a user visits a certain page where he/she doesn't have EDIT rights but has ADD rights, so a creation of a new page is initiated opening the editform from that restricted page, pressing the preview button will make the Zope auth window pop up, thus ending the whole story in an ugly insufficient privileges error message for a non-authenticaded visitor.

Steps to reproduce --JózsefJároli, Thu, 21 Jun 2007 04:40:58 -0700 reply

  1. Create an ExamplePage?
  2. set its Zwiki: Edit Pages permission to Manager only, Zwiki: Add pages is available for Anonymous
  3. load the ExamplePage? in an other browser (create form active at the bottom, edit link is hidden)
  4. use the pagemanagement form on ExamplePage? to create a new page
  5. make some edits
  6. press Preview button
  7. Zope authentication pop-up window will appear...

Workaround --JózsefJároli, Fri, 22 Jun 2007 09:02:51 -0700 reply

quick and dirty workaround - add the following attribute to the preview button:

tal:condition="python:user.has_permission('Zwiki: Edit pages',here)"

Got a patch for this --betabug, Thu, 15 May 2008 06:52:20 -0700 reply

I have a patch for this (currently on my repo), but since it involves security stuff, I want it to be reviewed (well, at least sm should have a look at it). The patch will do checking of permissions on editform() at runtime, much like createform() does.

fix is in -unstable repo, closing --betabug, Fri, 16 May 2008 09:41:58 -0700 reply

Status: open => closed