Submitted by : simon at: 2003-10-26T21:32:00+00:00 (14 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Since the append method calls edit, and edit uses p._handleSetRegulations to check for regulation permissions, anonymous users cannot submit comments unless they have regulation permissions. This would be a major security hazard.

- --2003/04/07 18:41 GMT
Workaround: Give Regulation permissions to anonymous, but revoke view permissions to editform.

(property change) --SimonMichael, 2003/04/14 17:16 GMT
Severity: serious => normal

try this --simon, 2003/04/14 17:37 GMT
I see what you're saying though - _handleSetRegulations tries to set regulations when it shouldn't. Pending a better idea from someone, see if this fixes it for you:

    def _handleSetRegulations(self,REQUEST):
        if REQUEST.get('who_owns_subs',None) != None:
            # do we have permission ?
            if not self._checkPermission(Permissions.ChangeRegs,self):
                raise 'Unauthorized', (
                  _("You are not authorized to set this ZWiki Page's regulations."))
            self.setRegulations(REQUEST)
            self._preRender(clear_cache=1)

(property change) --simon, 2003/04/14 17:39 GMT
Title: IssueNo0485 Anonymous Comments require Anonymous Regulation permissions => IssueNo0485 when using regulations, comments also require change regulations permission

fixed for 0.18 --simon, 2003/04/21 17:04 GMT
Status: open => closed