27 Sep
2005
27 Sep
'05
9:47 a.m.
Each CPS instance has its own UserFolder. All users exists in the portal's UserFolder, but only exists in some CPMs UserFolders. Now the problem is that, due to acquisition, a member existing in the Portal but not in a given CPM can gain access to this CPM by faking the url - ie: going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we have a potential (err...) security hole here, that I would like to address ASAP.
A normal pattern to use here would be to have one central user folder (e.g. at the root) and work with local roles in the sub-portals instead of having several user folders. jens