Any logged in user can view prefs_mailhost_form, which exposes the esmtp password

[hannosch]

Just noticed I had a bug report from George Lee rotting in my inbox:

"Came across this -- in Plone 2.1.2, any logged in user can view prefs_mailhost_form, which exposes the ESMTP password if it exists. (It's obscured in the browser, but can easily be unmasked.)"

I guess this means direct attribute access to the esmtp password might also be only weakly secured.

[shh]

Just how brilliant is that? Why the fsck can control panel stuff be viewed by anyone without "Manage portal" at all? May there be more pref panels affected?

[raphael]

It should be sufficient to adjust

CMFPlone/skins/plone_prefs/prefs_mailhost_form.cpt.metadata

where currently 'View' is protected by

[security] View=0:Authenticated

Changing this to 'Manage portal' should suffice (untested).

As Stefan already implied, other pref_panels are affected as well. Looks like this is the default for everything :-( Do we have an explicit policy here? I agree with Stefan here that in general these panels should require 'Manage portal'.

[rocky]

Whit is actively working on this one.

[brcwhit]

proper syntax is actually the following:

View = 0: Manager

Not sure what the 0: does, but this follows examples in CMFCore tests.

[brcwhit]

(In [9781]) set access to View = 0:Manager fixes #5434

[alecm]

There may well be cases where non-Managers should access some of these prefpanels (i.e. when people have created custom roles for managing users, etc), which is why it's generally a bad idea to use a specific role to restrict security. Doing a permission check in the template (like the user prefs does) is often a better solution, though in this case it shouldn't matter a bit.