Forgot your password?
New user?
Document Actions
#5: Improve Security
- Contents
- Proposed by
- adamu
- Proposal type
- Architecture
- State
- being-discussed
Motivation
This was proposed by a user...
From my testing, it appears that an anonymous visitor who knows or figures out the right urls may do the following:
- Access questionnaire_edit_form and then
o Modify questions.
o Reset the questionnaire, deleting all previous submissions.
- View results for the questionnaire at pages such as questionnaire_view_results and html_spreadsheet.
- View questionnaire_edit_properties_form (although changes are not permitted there without authentication).
Proposal
Temporary fix involves customising the effected pages and setting the View security setting to Managers and Owners. "questionnaire_edit_form", "questionnaire_edit", "question_position", "questionnaire_reset", "questionnaire_reset_form", "question_edit_form", "question_edit", "html_spreadsheet", "html_spreadsheet2", "questionnaire_view_results", "spreadsheet", "spreadsheet2", "spreadsheet3", "question_barchart", "respondents_view", "questionnaire_properties_edit", "questionnaire_edit_properties_form", "question_delete", "comments_view".
Re: where can I change these settings?
These files can be found in the portal_skins/questions directory of your plone root, use the ZMI to navigate there and click on the Customize button to change these files. This will move them to the custom folder where they will become editable.
I have confirmed it
Adamu,
Thank your comment. I have confirmed your explanation now.
kazuo
where can I chanege these settings?
Adam,
Thank you for your nice Porducts.
Now I need to attach this "Temporary fix" to my plone. But I can't find "questionnaire_edit_form", "questionnaire_edit", ...etc settings.
I checked home of my zope and folder of plone but could not find. Please advice to me.
CMFQuestions is 0.5, zope2.7.4, Plone2.0.5
kazuo