[ZendTo] Re: Using a foreign ZendTo-Server as a file hoster

John Thurston john.thurston at alaska.gov
Thu Sep 18 20:26:31 BST 2014

On 9/17/2014 11:43 AM, Scheidt, Stefan wrote:
> Hi!
> I think I just found a serious flaw in the default templates shipped
> with ZendTo.
> If you upload a file as an unauthorized user, the claimID and
> claimPasscode are included as hidden fields in the "Drop-Off Summary"
> page as a part of the "deleteDropoff" form, even if you don't have
> the permission to delete the DropOff.
- snip -

> Can anybody confirm this behaviour or prove me wrong?

I have confirmed this behavior in my 4.11 installation.

Next I will confirm your proposed modification to the behavior.
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska

More information about the ZendTo mailing list