[Zope] Aquisition, UserFolder and security
Jens Vagelpohl
jens at dataflake.org
Tue Sep 27 05:47:18 EDT 2005
> Each CPS instance has its own UserFolder. All users exists in the
> portal's UserFolder, but only exists in some CPMs UserFolders. Now the
> problem is that, due to acquisition, a member existing in the
> Portal but
> not in a given CPM can gain access to this CPM by faking the url - ie:
> going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we
> have
> a potential (err...) security hole here, that I would like to
> address ASAP.
A normal pattern to use here would be to have one central user folder
(e.g. at the root) and work with local roles in the sub-portals
instead of having several user folders.
jens
More information about the Zope
mailing list