If you are really behind the 8-ball here is a really ugly work around that may buy you some time to fix it properly: after you authenticate a user, use a dtml method (eg. 'method1') to invoke the target method (eg. <dtml-var "/.../.../somemethod">) in 'somemethod' check to make sure that it was invoked by 'method1' (use a REQUEST var such as SCRIPT_URI or PATH_TRANSLATED). If you came from method1 then let the user proceed, if not do a RESPONSE.redirect somewhere else (eg home page - i wouldn't display an error message, you don't want to help the hackers). This is a reaallly bad hack, and is not very secure, but it may buy you some time to fix the problem properly. Good Luck! Jonathan ----- Original Message ----- From: "bruno modulix" <bruno@modulix.org> To: "Julien Anguenot" <ja@nuxeo.com> Cc: <zope@zope.org> Sent: Tuesday, September 27, 2005 10:31 AM Subject: Re: [Zope] Aquisition, UserFolder and security
Julien Anguenot wrote:
bruno modulix wrote:
Julien Anguenot wrote:
(snip)
To sum up it's a matter of configuration.
I'm afraid there's more to it than just a matter of configuration, cf below...
I confirm. For having done the intranet of the Senegal gouvernement (almost 35 CPS (one instance for each ministry) on the same Zope within a ZEO env linked on a central LDAP with differents branches for users and groups per ministry) using CPS, I have sort if an idea what you're trying todo here.
I've spent quite some time investigating the CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories... solution, and the final word (from Olivier Grisel, cf the cps-users ml) was that some code concerning roles and groups management was not yet fully implemented, so the whole thing couldn't work without patching and merging parts of CPSDirectories - which was a definitive no-no for us.
I assume, you're talking about roles and groups compute schema fields here on directories. This is TALES expression linking the directories. The code can be wherever you wanna, even within the TALES expression if you feel like...
That's probably, what Olivier tried to say. Still I didn't follow the discussion at this time.
Too bad :(
You'll find it on the cps-users list. I'm not a CPS expert[1] - and not even a Zope expert - but from what I saw, it seemed to imply more than only TALES expressions...
[1] given the change pace and resulting lack of documentation, I guess only you Nuxeo guys have a good understanding of the whole product...
Let me add that CPSUserFolder works and is in production for a while now in several projects. So be sure it's stable.
I don't doubt it works fine. I just didn't managed to make the whole thing work, and couldn't afford to spend more time on it.
I don't know if this has been fixed in 3.3.6, but anyway, this part of our project is supposed to be already working (and mostly does, except for this security problem), and we can't afford to come back on it, as it would delay delivery by at least one week - which is also not an option. But thanks anyway...
Then, you might have a design flaw...
Probably. Certainly. But we'll have to live with it for at least this and next iteration - our customer needs a working solution for yesterday, and we have pretty good reasons to do whatever we can to deliver yesterday.
You didn' reply to my question at the first place : are you controling the LDAP (rw) ?
Actually, no, r only. As I answered to Jens, it's part of a bigger system, and we have very few freedom here. This will probably change in the future, but we must first deal with the existing situation.
Are the schemas describing your users differents in between the CPS instances ?
Yes.
etc...
CPSUserFolder has been designed to tackle such a use case. (Not only this use case but this one has been a reason of the existence of this product.)
I know, that's why my first try was to use the CPSUserFolder + metadirectories + etc solution.
Now from what I saw (I may have missed some points, but...), we concluded that using LDAPUserGroupsFolder, at least for the first rounds, would be much more manageable - we (well... I) only forgot that aquisition could come in the way :(
Of course, looking for a hack to deliver your project can always be solution ;)
I'm afraid it's the only short-term solution we have.
-- Bruno Desthuilliers Développeur bruno@modulix.org _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )