[Zope] Aquisition, UserFolder and security
bruno modulix
bruno at modulix.org
Tue Sep 27 06:17:02 EDT 2005
Jens Vagelpohl wrote:
>> Each CPS instance has its own UserFolder. All users exists in the
>> portal's UserFolder, but only exists in some CPMs UserFolders. Now the
>> problem is that, due to acquisition, a member existing in the Portal but
>> not in a given CPM can gain access to this CPM by faking the url - ie:
>> going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we have
>> a potential (err...) security hole here, that I would like to address
>> ASAP.
>
>
> A normal pattern to use here would be to have one central user folder
> (e.g. at the root) and work with local roles in the sub-portals instead
> of having several user folders.
I know, but I don't think it will possible here (this is an euphemism).
The UserFolder is a LDAPUserGroupsFolder, users data are stored in a
LDAP directory, with one branch for each CPS instance, and some user
data and schema varying from one branch to another. We don't have the
possibility to change this (it's part of a bigger system), and we don't
have the time to rewrite a custom LDAPUserFolder that could accomodate
this LDAP schema (this project was already very late when we took on it
and we have a *very* tight deadline - I hate this situation, but I have
to deal with it...). Any robust solution, as hackish as it may be, will
be just fine, as long as we deliver on time.
--
Bruno Desthuilliers
Développeur
bruno at modulix.org
More information about the Zope
mailing list