Monday 26 February 2007 8:27:56 am
For example, go to a random documentation page on ez.no. Start adding a comment as anonymous user. Use another browser/computer and go to the same content/edit url, and you will be able to edit the form there. This is a security problem when developing a site for a customer who needs external anonymous users to create new objects. As it is, other people can get the information from any partly stored object. I've searched for more on this issue, and found an old bug repport, that says this is a fixed bug (ref: http://issues.ez.no/6680). However, to me the bug appears to still exist. Could there be some ini setting I've missed? I've made sure that the content/edit policy has limitation owner(self). So is this a bug, or is there some settings I've missed?
|