non-member can add blog entry

Right. In general, we're not testing things regarding security at the
moment (per the agreement), but it's ok to file things you might find.

--Paul

On Mar 17, 2009, at 1:15 PM, Nat Katin-Borland wrote:

> Public bug reported:
>
> A non-member can add/edit/delete a blog entry in a community that they
> are not a member of. Signed in as Staff1 and visited Testing Place
> community, which Staff1 is not a member of. Staff1 was still able to
> add/edit/delete blog entries.
>
> ** Affects: karl3
> Importance: Medium
> Assignee: Paul Everitt (paul-agendaless)
> Status: New
>
>
> ** Tags: show-blog
>
> ** Changed in: karl3
> Importance: Undecided => Medium
> Assignee: (unassigned) => Paul Everitt (paul-agendaless)
> Target: None => m4
>
> ** Tags added: show-blog
>
> --
> non-member can add blog entry
> https://bugs.launchpad.net/bugs/344394
> You received this bug notification because you are a bug assignee.
>
> Status in Porting KARL to a new architecture: New
>
> Bug description:
> A non-member can add/edit/delete a blog entry in a community that
> they are not a member of. Signed in as Staff1 and visited Testing
> Place community, which Staff1 is not a member of. Staff1 was still
> able to add/edit/delete blog entries.

I just figured I would submit what I see, as a reminder to re-test
later.

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
Paul Everitt
Sent: Tuesday, March 17, 2009 1:30 PM
To: Nathaniel Katin-Borland
Subject: Re: [Bug 344394] [NEW] non-member can add blog entry

Right. In general, we're not testing things regarding security at the
moment (per the agreement), but it's ok to file things you might find.

--Paul

On Mar 17, 2009, at 1:15 PM, Nat Katin-Borland wrote:

> Public bug reported:
>
> A non-member can add/edit/delete a blog entry in a community that they
> are not a member of. Signed in as Staff1 and visited Testing Place
> community, which Staff1 is not a member of. Staff1 was still able to
> add/edit/delete blog entries.
>
> ** Affects: karl3
> Importance: Medium
> Assignee: Paul Everitt (paul-agendaless)
> Status: New
>
>
> ** Tags: show-blog
>
> ** Changed in: karl3
> Importance: Undecided => Medium
> Assignee: (unassigned) => Paul Everitt (paul-agendaless)
> Target: None => m4
>
> ** Tags added: show-blog
>
> --
> non-member can add blog entry
> https://bugs.launchpad.net/bugs/344394
> You received this bug notification because you are a bug assignee.
>
> Status in Porting KARL to a new architecture: New
>
> Bug description:
> A non-member can add/edit/delete a blog entry in a community that
> they are not a member of. Signed in as Staff1 and visited Testing
> Place community, which Staff1 is not a member of. Staff1 was still
> able to add/edit/delete blog entries.

--
non-member can add blog entry
https://bugs.launchpad.net/bugs/344394
You received this bug notification because you are a direct subscriber
of the bug.

Status in Porting KARL to a new architecture: New

Bug description:
A non-member can add/edit/delete a blog entry in a community that they
are not a member of. Signed in as Staff1 and visited Testing Place
community, which Staff1 is not a member of. Staff1 was still able to
add/edit/delete blog entries.

M9 is when we tackle security.

I have checked in a twill test for this bug, and added the following fixes:

- updated the 'staff_acl' defined in 'osi.run' to allow KarlStaff only the 'view'
  permission in public areas.

- Corrected the ZCML permission for the 'add_blogentry.html' view (was 'view',
  now 'create').