[Zope] Aquisition, UserFolder and security
Dieter Maurer
dieter at handshake.de
Wed Sep 28 12:55:39 EDT 2005
bruno modulix wrote at 2005-9-28 10:02 +0200:
>Dieter Maurer wrote:
> ...
>> Sounds like a permission to role mapping flaw...
>>
>> Apparently, roles controlled by the "Portal" UserFolder (e.g.
>> "Authenticated") are allowed to do things in your CPM that
>> you only be allowed by roles controlled by their UserFolder.
>>
>> You may be able to fix this by making the roles controlled
>> by the "Portal" and the "CPM" level disjoint.
>>
>> "Authenticated" cannot be made disjoint -- but you may not use
>> it inside your CPMs.
>
>The problem here is that CPS (the portal and all CPMs are CPS instances)
>uses predefined roles, on which the various workflows relies, so that
>would mean renaming all roles - differently - on each CPM, and modifying
>the workflows too.
I think that is would only be necessary that the roles
are disjoint between "Portal" and "CPM". All "CPM"s can use
the same roles.
>Given that the customer is going to create new CPMs
>"at will", I'm afraid this solution is somewhat unpractical...
Maybe, this changes when you need to touch only the "Portal" roles?
--
Dieter
More information about the Zope
mailing list