[Zope] [resolved ???] Aquisition, UserFolder and security

bruno modulix bruno at modulix.org
Tue Sep 27 13:08:47 EDT 2005


bruno modulix wrote:
(snip)
> Each CPS instance has its own UserFolder. All users exists in the
> portal's UserFolder, but only exists in some CPMs UserFolders. Now the
> problem is that, due to acquisition, a member existing in the Portal but
> not in a given CPM can gain access to this CPM by faking the url - ie:
> going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we have
> a potential (err...) security hole here, that I would like to address ASAP.
> 
(snip)
>
> Another thing I've been thinking of, reading BasicUserFolder's source,
> would be to subclass it and redefine the _isTop() method so users
> wouldn't been looked up for in a UserFolder placed in the context by
> acquisition, but I don't know enough about the whole mechanism to be
> sure it would'nt have unwanted side-effects and drawbacks.

Ok, I've tried a Q&D hack here, redifining userFolder's _isTop() to
always return True, and it seems to do the job. But if someone is aware
of any drawback of this hack (apart from the fact that there's no more
way to authenticate again a 'higher' userFolder...), I'd be interested...

> It's also very possible that I missed another simpler and better
> solution, so here again, any hint, pointer etc is *very* welcome.

This still holds !-)

And thanks to the Three Jeez (Jens, Julien and Jonathan) for having
taking time to try to help me.

-- 
Bruno Desthuilliers
Développeur
bruno at modulix.org


More information about the Zope mailing list