Hi Keith,
> If I remove permission for a page to be viewed, the user can still see
> it if he has that page embedded in another.
thanks, this is a severe security leak. If one page is editable,
users are basically able to view any page by embedding it.
> I suggest that this be fixed in order that an embedded forbidden page
> just renders as an empty string.
Please try, it should fix this issue:
Name: Pier-All-lr.205
Author: lr
Time: 26 May 2007, 9:35:56 am
UUID: 99c2c998-0eee-407a-821b-5a9a0488b9ec
Ancestors: Pier-All-lr.204
Dependencies: Pier-Model-lr.152, Pier-Tests-lr.69, Pier-Seaside-lr.
169, Pier-OmniBrowser-lr.24, Pier-Security-lr.80, Pier-Blog-lr.55
> This makes a way of making user/group specific layout elements, or
> notices.
Btw, I changed the way environments worked a few days ago. What
environment should be used is now a setting of page, not necessary a
child called 'environment' anymore. In my opinion this makes the use
of environments much simpler and less error prone. Maybe that would
be a good topic for a blog post someday ...
Cheers,
Lukas
--
Lukas Renggli
http://www.lukas-renggli.ch_______________________________________________
SmallWiki, Magritte, Pier and Related Tools ...
https://www.iam.unibe.ch/mailman/listinfo/smallwiki
Locked
