Personal tools
You are here: Home Forums Plone Google Sitemaps Bug in version 0.5 with Plone 2.5.2
Navigation
 
Document Actions

Bug in version 0.5 with Plone 2.5.2

Up to Plone Google Sitemaps

Bug in version 0.5 with Plone 2.5.2

Posted by Jarrod Kinsley at March 07. 2007

Copied from Plone Bug Report I submitted:





While working a newly created Plone 2.5.2 site this evening, I discovered that the folder_localrole_form (aka Sharing) can be accessed by anonymous users. This can be accomplished by accessing http://mysite.com/front-page/sharing .


By itself, this gives anonymous users the ability to display the membership database, but they can not change the settings.


However, when coupled with qPloneGoogleSitemaps-0.5 using the pinging functions on state change, anonymous users are capable of actually changing the state of the page. (ie retracting a published page or publishing a public draft page). Once the ping on state change options are set, they can not be reset thus leaving the hole open until a complete reinstall of the Plone site.



While Plone allows anonymous users to access the folder_localrole_form (aka sharing) with or without qPloneGoogleSitemaps installed, the ability for the anonymous users to change the state of the object is activated when the publish option is checked in Sitemaps Setup -> Pinging -> Workflows to Ping -> plone_workflow.


If I try to uncheck the publish option and save it, I get the following error:


Traceback (innermost last):

  Module ZPublisher.Publish, line 115, in publish

  Module ZPublisher.mapply, line 88, in mapply

  Module ZPublisher.Publish, line 41, in call_object

  Module Products.CMFFormController.FSControllerPageTemplate, line 90, in __call__

  Module Products.CMFFormController.BaseControllerPageTemplate, line 28, in _call

  Module Products.CMFFormController.ControllerBase, line 232, in getNext

   - __traceback_info__: ['id = prefs_gsm_pinging', 'status = success', 'button=Save', 'errors={}', 'context=<PloneSite at test>', 'kwargs={}', 'next_action=None', '']

  Module Products.CMFFormController.Actions.TraverseTo, line 38, in __call__

  Module ZPublisher.mapply, line 83, in mapply

  Module ZPublisher.Publish, line 46, in missing_name

  Module ZPublisher.HTTPResponse, line 668, in badRequestError

BadRequest:   <h2>Site Error</h2>

  <p>An error was encountered while publishing this resource.

  </p>

  <p><strong>Invalid request</strong></p>



  The parameter, <em>transitions</em>, was omitted from the request.<p>Make sure to specify all required parameters, and try the request again.</p>

  <hr noshade="noshade"/>



  <p>Troubleshooting Suggestions</p>



  <ul>

  <li>The URL may be incorrect.</li>

  <li>The parameters passed to this resource may be incorrect.</li>

  <li>A resource that this resource relies on may be

      encountering an error.</li>

  </ul>



  <p>For more detailed information about the error, please

  refer to the error log.

  </p>



  <p>If the error persists please contact the site maintainer.

  Thank you for your patience.

  </p>

If you have any question , please email me because I can replicate this on my test server which is how I got the traceback. I am currently using Sitemaps on the original site without the pinging options. While anonymous users can still view the sharing page, they cannot change the state as long as I do not change the default pinging settings in Sitemaps.
Powered by Ploneboard