[Zope] Aquisition, UserFolder and security

bruno modulix bruno at modulix.org
Thu Sep 29 07:20:12 EDT 2005


Dieter Maurer wrote:
> bruno modulix wrote at 2005-9-28 10:02 +0200:
> 
>>Dieter Maurer wrote:
>>...
>>
>>>Sounds like a permission to role mapping flaw...
>>>
>>>  Apparently, roles controlled by the "Portal" UserFolder (e.g.
>>>  "Authenticated") are allowed to do things in your CPM that
>>>  you only be allowed by roles controlled by their UserFolder.
>>>
>>>You may be able to fix this by making the roles controlled
>>>by the "Portal" and the "CPM" level disjoint.
>>>
>>>"Authenticated" cannot be made disjoint -- but you may not use
>>>it inside your CPMs.
>>
>>The problem here is that CPS (the portal and all CPMs are CPS instances)
>>uses predefined roles, on which the various workflows relies, so that
>>would mean renaming all roles - differently - on each CPM, and modifying
>>the workflows too.
> 
> 
> I think that is would only be necessary that the roles
> are disjoint between "Portal" and "CPM". All "CPM"s can use
> the same roles.

Nope. Some users may have different roles from CPM to CPM.

> 
>>Given that the customer is going to create new CPMs
>>"at will", I'm afraid this solution is somewhat unpractical...
> 
> 
> Maybe, this changes when you need to touch only the "Portal" roles?
> 
I don't want to mess with CPS predifined roles. But thanks anyway.

-- 
Bruno Desthuilliers
Développeur
bruno at modulix.org


More information about the Zope mailing list