[Zope-CMF] Nested CMF site access rights

Richard Shebora rlist@apogee-tech.com
Mon, 04 Mar 2002 10:03:30 -0500


  Cravoisier Thierry wrote:

>Hi all,
>
>Zope 2.5
>CMF 1.2
>I also use LDAP authentification CMFLDAP.
>
>I try to prototype a complete CMF site to manage project with public
>area and specific secured projects areas.
>CMF-1 Public
>  CMF-2 Private (Projects site) 
>    CMF-3 Project site 1
>    CMF-4 Project site 2
>People need to be authenticated to access content on CMF-2 Private
>otherwise as guest they cannot see the projects site.
>To do this I created a new role "Reader" on CMF-2 and changed access
>rule for "Access Content Information": rights are not acquired anymore
>and all roles except anonymous have authorization.
>The role of Reader is just for authorized people to see (read) all
>projects but not particularly to act on them.
>Up to now everything works fine. I log on when required (CMF-1) and can
>see all needed information (CMF2-3-4) in browse in them.
>When I decide to log out at any other level than the level I logged in I
>get th
>e following error:
>"Unauthorized: You are not allowed to acess protal_url in this context"
>
>Since the access to content information has been disabled for anonymous
>(right acquired from upper site) I connot find any relevant URL to jump.
>This sounds normal, but would prefer to find back the latest authorized
>URL.
>
>What did I wrong ? Is there any smarter way to do this ?
>Any feedback is welcome.
>
>Note that I am just a newbee and does not know anything about python
>programming. I currently try to figure out how to master all products. 
>
>Regards
>Thierry
>
>_______________________________________________
>Zope-CMF maillist  -  Zope-CMF@zope.org <mailto:Zope-CMF@zope.org>
>http://lists.zope.org/mailman/listinfo/zope-cmf
>
>See http://www.zope.org/Products/PTK/Tracker <http://www.zope.org/Produc%0Ats/PTK/Tracker> for bug reports and feature requests
>
Hello,

I do it a little differently.  I do not use a separate CMF instance for 
each departments work.  I create a single CMF then create departmental 
users.  By this I mean for "Project1" the user's ID is "Project1" and I 
give the Local role of Manager for this folder to another existing real 
persons user account.  You can have additional folders under this one or 
keep them all at the same level, your call.  Either way you give the 
appropriate local roles to the right real persons account and all is 
well.  By keeping real accounts and departmental accounts separate and 
only associating them with rolls you can hire and fire people and just 
change the roles accordingly.  No users ever get created under a 
departments account, this would break the security that roles provide. 
 Different look and feel for each department can be done with skins, but 
is probably not needed anyway.

HTH,
Richard