Submitted by : Jaap Noordzij at: 2004-05-07T00:27:38+00:00 (13 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

It seems that Anonymous users can add pages in my Wiki, even when the ZWiki: Add Pages is only on for managers with Acquisition turned off. As far as I can see this happens since 0.30.

The strange thing is that it is not on all wiki's in my Plone site. Could this have something to do with me running setupCatalog?reindex= or deleting the links (metadata and index) ?

However

same problem.

is gone and anonymous users can not add pages

Could anybody test / reproduce this in his own 0.30 / Plone env ? (The security machinery of Zope is sometimes not very transparent to me)

can't reproduce --simon, Fri, 21 May 2004 20:44:43 -0700 reply

Thanks. I've started a functional test suite for problems like this. I can't reproduce this one myself. What procedure are the anonymous users using to create wiki pages ?

can't reproduce --Sat, 22 May 2004 02:09:43 -0700 reply

Anonymous uses can click the questionmark beside a WikiWord and add a new page with this name.

I can reproduce the problem in Plone on most of my sites. When I revert to 0.29 the problem is gone. Could this be caused by another installed Product ? How can I test this ?

can't reproduce --simon, Sat, 22 May 2004 03:41:08 -0700 reply

I doubt it's another product.. but you could rule it out by removing them all (except those necessary for plone), restarting zope, retesting. Also try setting up a new restricted wiki in or out of plone and see if it works as expected. I really think you have overlooked a permissions error. Perhaps the permissions audit in plone setup would give a clue.

Test --Jaap Noordzij, Mon, 24 May 2004 07:07:04 -0700 reply

I was about to install a new SuSE? on my testmachine. So I installed everything from source: Python 2.3.3, Zope 2.7.0, Plone 2.0.3 and Zwiki 0.30.0. Nothing was imported from an existing site. The only product installed beside the Plone products was ZWiki.

The situation remains the same: Anonymous can add pages when they click the questionmark next to a WikiWord?. I could hardly have overlooked a permission error here I think ? I never touched Zope permissions for this test.

hmm --SimonMichael, Mon, 24 May 2004 21:47:01 -0700 reply

HMM. I do see this now, in a non-plone site. The permissions on editform and createform seem to be having no effect. Strange.

property change --Mon, 24 May 2004 21:59:14 -0700 reply

fixed for 0.31 --SimonMichael, Mon, 24 May 2004 22:25:02 -0700 reply

It seems I STILL didn't understand security declarations. After last month's refactoring a number of classes were missing the necessary initialize statement. Thank you!

property change --SimonMichael, Mon, 24 May 2004 22:25:24 -0700 reply

Status: open => closed

property change --SimonMichael, Mon, 24 May 2004 22:26:29 -0700 reply

Name: 'IssueNo0796? Anonymous can add pages' => 'IssueNo0796? some permissions have no effect in 0.30'