Greg Fischer wrote:
I have folder 1: /site/dev/customer1/folder/page And folder 1: /site/dev/customer2/folder1/folder2/page
Eash customer level folder has acl_users with different/separate accounts. The security at the customer level folder is set to not acquire and no anonymous access. Now here is the problem I see, you type in your URL: someplace.com/site/dev/customer1/folder/page
You are asked to authenticate. Then you change your url after authentication to: somplace.com/site/dev/customer1/folder/customer2/folder1/folder1/page
And you get right in with no authentication! That should not be allowable.
Does that work if you simplify it to: somplace.com/site/dev/customer1/customer2/folder1/folder2/page ? Are you sure 'page' is the page from custoemr 2 and not the one from customer 1? Well, some possibilities: - The user you logged in as comes from a "higher up" user folder, in which case they'd be able to access either customer - there's a serious security hole in zope ;-) If you can reproduce it and are sure everthing is as it should be, boil it down to the simplest possible case that reproduces the bug and chuck it into the collector at: http://www.zope.org/Collectors/Zope ...'cos it'll need urgent attention! cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk