[Zope-CMF] Nested CMF site access rights
Cravoisier Thierry
thierry.cravoisier@st.com
Tue, 05 Mar 2002 18:23:47 +0100
Thanks for these info.
That's a good approach and sounds interesting.
I forgot to mention some additional constraints such as :
- each project shall have its own news items (everyboby is not
interested in getting all projects news..)
- I use LDAP authentification, I don't know how to properly mix standard
User Folder and LDAPUserFolder to implement your approach.
Concerns are:
- Should I defined additional meta-data to characterize the news (and
the overall information, I will have to master within a project) so that
information remains local to the project unless stated otherwise. It
might be a kind of disclosure level (local, top...). I would need to
redefine all objects types with these specific meta-data and maybe to do
more.
- Maybe another solution with folders could be applied ("public")
I don't what is best to do.
Maybe what I want to set up is too complicated. Any feedback, ...
solution is welcome.
Regards
Thierry
rlist@apogee-tech.com wrote:
>
> Cravoisier Thierry wrote:
>
> >Hi all,
> >
> >Zope 2.5
> >CMF 1.2
> >I also use LDAP authentification CMFLDAP.
> >
> >I try to prototype a complete CMF site to manage project with public
> >area and specific secured projects areas.
> >CMF-1 Public
> > CMF-2 Private (Projects site)
> > CMF-3 Project site 1
> > CMF-4 Project site 2
> >People need to be authenticated to access content on CMF-2 Private
> >otherwise as guest they cannot see the projects site.
> >To do this I created a new role "Reader" on CMF-2 and changed access
> >rule for "Access Content Information": rights are not acquired anymore
> >and all roles except anonymous have authorization.
> >The role of Reader is just for authorized people to see (read) all
> >projects but not particularly to act on them.
> >Up to now everything works fine. I log on when required (CMF-1) and can
> >see all needed information (CMF2-3-4) in browse in them.
> >When I decide to log out at any other level than the level I logged in I
> >get th
> >e following error:
> >"Unauthorized: You are not allowed to acess protal_url in this context"
> >
> >Since the access to content information has been disabled for anonymous
> >(right acquired from upper site) I connot find any relevant URL to jump.
> >This sounds normal, but would prefer to find back the latest authorized
> >URL.
> >
> >What did I wrong ? Is there any smarter way to do this ?
> >Any feedback is welcome.
> >
> >Note that I am just a newbee and does not know anything about python
> >programming. I currently try to figure out how to master all products.
> >
> >Regards
> >Thierry
> >
> >_______________________________________________
> >Zope-CMF maillist - Zope-CMF@zope.org <mailto:Zope-CMF@zope.org>
> >http://lists.zope.org/mailman/listinfo/zope-cmf
> >
> >See http://www.zope.org/Products/PTK/Tracker <http://www.zope.org/Produc%0Ats/PTK/Tracker> for bug reports and feature requests
> >
> Hello,
>
> I do it a little differently. I do not use a separate CMF instance for
> each departments work. I create a single CMF then create departmental
> users. By this I mean for "Project1" the user's ID is "Project1" and I
> give the Local role of Manager for this folder to another existing real
> persons user account. You can have additional folders under this one or
> keep them all at the same level, your call. Either way you give the
> appropriate local roles to the right real persons account and all is
> well. By keeping real accounts and departmental accounts separate and
> only associating them with rolls you can hire and fire people and just
> change the roles accordingly. No users ever get created under a
> departments account, this would break the security that roles provide.
> Different look and feel for each department can be done with skins, but
> is probably not needed anyway.
>
> HTH,
> Richard
>
> _______________________________________________
> Zope-CMF maillist - Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
>
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature requests