Surveys problem?

Lawrence Lee Manila-Newbies@userland.com
Mon, 2 Dec 2002 15:50:09 -0800


This is a multi-part message in MIME format.

------=_NextPart_000_0014_01C29A1A.842B69A0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Does he see the Editors Only menubar on the site? I tried the same thing
on a test Manila site and wasn't able to edit/delete a survey while
logged out or signed in a regular member.
 
Lawrence

-----Original Message-----
From: manila-newbies-admin@userland.com
[mailto:manila-newbies-admin@userland.com] On Behalf Of Dan Mitchell
Sent: December 2, 2002 1:29 PM
To: Manila-Newbies
Subject: Surveys problem?


One of my web-savvy students today told me that he was able to make the
edit link work on one of my sites by substituting the word EDIT in the
RUN url. He also was able to substitute DELETE! Yikes!

Hi is logged in as a site member, but not as an editor of any sort.  

Further explanation:

This link appears to him when he goes to the survey page:
  
http://www.domain.com/music1/surveys/run/dan@mitchell.fhda.edu/howHighIs
TheSky001

He can change it manually to

http://www.domain.com/music1/surveys/EDIT/dan@mitchell.fhda.edu/howHighI
sTheSky001
or
http://www.domain.com/music1/surveys/DELETE/dan@mitchell.fhda.edu/howHig
hIsTheSky001

and it works! 

Not good, right?

Dan



------=_NextPart_000_0014_01C29A1A.842B69A0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2800.1126" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D558224823-02122002>Does=20
he see the Editors Only menubar on the site? I tried the same thing on a =
test=20
Manila site and wasn't able to edit/delete a survey while logged out or =
signed=20
in a regular member.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT>&nbsp;</DIV>
<DIV><SPAN class=3D558224823-02122002><FONT face=3DArial color=3D#0000ff =

size=3D2>Lawrence</FONT></SPAN></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
  manila-newbies-admin@userland.com =
[mailto:manila-newbies-admin@userland.com]=20
  <B>On Behalf Of </B>Dan Mitchell<BR><B>Sent:</B> December 2, 2002 1:29 =

  PM<BR><B>To:</B> Manila-Newbies<BR><B>Subject:</B> Surveys=20
  problem?<BR><BR></FONT></DIV><FONT face=3DVerdana>One of my web-savvy =
students=20
  today told me that he was able to make the edit link work on one of my =
sites=20
  by substituting the word EDIT in the RUN url. He also was able to =
substitute=20
  DELETE! Yikes!<BR><BR>Hi is logged in as a site member, but not as an =
editor=20
  of any sort. &nbsp;<BR><BR>Further explanation:<BR><BR>This link =
appears to=20
  him when he goes to the survey page:<BR><SPAN =
class=3D558224823-02122002><FONT=20
  face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;</FONT></SPAN><BR><FONT=20
  =
color=3D#0000ff><U>http://www.domain.com/music1/surveys/run/dan@mitchell.=
fhda.edu/howHighIsTheSky001<BR></U></FONT><BR>He=20
  can change it manually to<BR><BR><FONT=20
  =
color=3D#0000ff><U>http://www.domain.com/music1/surveys/EDIT/dan@mitchell=
.fhda.edu/howHighIsTheSky001<BR></U></FONT>or<BR><FONT=20
  =
color=3D#0000ff><U>http://www.domain.com/music1/surveys/DELETE/dan@mitche=
ll.fhda.edu/howHighIsTheSky001<BR><BR></U></FONT>and=20
  it works! <BR><BR>Not good,=20
right?<BR><BR>Dan<BR></BLOCKQUOTE></FONT></BODY></HTML>

------=_NextPart_000_0014_01C29A1A.842B69A0--