Ticket #1157 (closed defect: invalid)

Opened 14 years ago

Last modified 14 years ago

Anonymous users can delete events.

Reported by: Brian Sutherland <jinty@…> Owned by: lregebro
Priority: P1 Milestone: unspecified
Component: CalZope Version: TRUNK
Severity: normal Keywords:
Cc:

Description

taken from CalZope?/browser/configure.zcml

<browser:page

for="calcore.interfaces.ICalendarEvent" template="eventdelete.pt" name="delete.html" permission="zope.Public"

class=".browser.event.EventView?" />

Perhaps it's not so bad as they would have to guess the url. But still doesn't feel right.

Change History

comment:1 Changed 14 years ago by lregebro

  • Status changed from new to closed
  • Resolution set to invalid

It's protected in the code, so you can't delete it if you don't have the correct rights, even though you can see the page.

I have changed the permission management since then, maybe I can simplify this, but it is not a bug per se.

Note: See TracTickets for help on using tickets.