Re: [Zope] Aquisition, UserFolder and security

2005-09-30 Thread bruno modulix
Dieter Maurer wrote: bruno modulix wrote at 2005-9-29 13:20 +0200: ... The problem here is that CPS (the portal and all CPMs are CPS instances) uses predefined roles, on which the various workflows relies, so that would mean renaming all roles - differently - on each CPM, and modifying the

Re: [Zope] Aquisition, UserFolder and security

2005-09-30 Thread Dieter Maurer
bruno modulix wrote at 2005-9-30 09:38 +0200: ... Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and

Re: [Zope] Aquisition, UserFolder and security

2005-09-29 Thread bruno modulix
Dieter Maurer wrote: bruno modulix wrote at 2005-9-28 10:02 +0200: Dieter Maurer wrote: ... Sounds like a permission to role mapping flaw... Apparently, roles controlled by the Portal UserFolder (e.g. Authenticated) are allowed to do things in your CPM that you only be allowed by roles

Re: [Zope] Aquisition, UserFolder and security

2005-09-29 Thread Dieter Maurer
bruno modulix wrote at 2005-9-29 13:20 +0200: ... The problem here is that CPS (the portal and all CPMs are CPS instances) uses predefined roles, on which the various workflows relies, so that would mean renaming all roles - differently - on each CPM, and modifying the workflows too. I think

Re: [Zope] Aquisition, UserFolder and security

2005-09-28 Thread bruno modulix
Dieter Maurer wrote: Hi Dieter bruno modulix wrote at 2005-9-27 11:34 +0200: I have a little problem with aquisition and security. We have a project using multiple CPS instances (for those that don't know CPS, it's a CMF based groupware/CMS) running in the same Zope instance, and being

Re: [Zope] Aquisition, UserFolder and security

2005-09-28 Thread Andrew Milton
+---[ bruno modulix ]-- | Dieter Maurer wrote: | | Hi Dieter | | bruno modulix wrote at 2005-9-27 11:34 +0200: | | I have a little problem with aquisition and security. We have a project | using multiple CPS instances (for those that don't know CPS, it's a CMF | based

Re: [Zope] Aquisition, UserFolder and security

2005-09-28 Thread bruno modulix
Andrew Milton wrote: (snip) And turning off Acquire roles on the security tab of the folders you don't want to have acquired doesn't work? This would probably be the cleanest solution here, and - shame on me - I didn't even think of it. Now the problem is that CPS has a very complex

Re: [Zope] Aquisition, UserFolder and security

2005-09-28 Thread Dieter Maurer
bruno modulix wrote at 2005-9-28 10:02 +0200: Dieter Maurer wrote: ... Sounds like a permission to role mapping flaw... Apparently, roles controlled by the Portal UserFolder (e.g. Authenticated) are allowed to do things in your CPM that you only be allowed by roles controlled by their

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Jens Vagelpohl
Each CPS instance has its own UserFolder. All users exists in the portal's UserFolder, but only exists in some CPMs UserFolders. Now the problem is that, due to acquisition, a member existing in the Portal but not in a given CPM can gain access to this CPM by faking the url - ie: going to

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Jens Vagelpohl wrote: Each CPS instance has its own UserFolder. All users exists in the portal's UserFolder, but only exists in some CPMs UserFolders. Now the problem is that, due to acquisition, a member existing in the Portal but not in a given CPM can gain access to this CPM by faking the

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Jens Vagelpohl
On 27 Sep 2005, at 11:17, bruno modulix wrote: A normal pattern to use here would be to have one central user folder (e.g. at the root) and work with local roles in the sub-portals instead of having several user folders. I know, but I don't think it will possible here (this is an

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Julien Anguenot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Bruno, If you're using a central LDAP for all the instances you can restrict the access from the different instances using either LDAPUserGroupsFolder or CPSUserFolder. Discrimination are done by LDAP branches (users or groups). If you can't

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Julien Anguenot wrote: Hi Bruno, Hi Julien, If you're using a central LDAP for all the instances you can restrict the access from the different instances using either LDAPUserGroupsFolder or CPSUserFolder. Discrimination are done by LDAP branches (users or groups). If you can't control

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Jens Vagelpohl wrote: On 27 Sep 2005, at 11:17, bruno modulix wrote: A normal pattern to use here would be to have one central user folder (e.g. at the root) and work with local roles in the sub-portals instead of having several user folders. I know, but I don't think it will

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Jonathan wrote: Could you create a central user folder (in root) and then create an external method which queries all of the LDAP branches and returns the appropriate local roles to the central user folder when the user logs in? This way you get a central user folder and can keep all your

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Julien Anguenot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bruno modulix wrote: Julien Anguenot wrote: Hi Bruno, Hi Julien, If you're using a central LDAP for all the instances you can restrict the access from the different instances using either LDAPUserGroupsFolder or CPSUserFolder.

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Julien Anguenot wrote: bruno modulix wrote: Julien Anguenot wrote: (snip) To sum up it's a matter of configuration. I'm afraid there's more to it than just a matter of configuration, cf below... I confirm. For having done the intranet of the Senegal gouvernement (almost 35 CPS (one

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Jonathan
] Aquisition, UserFolder and security Julien Anguenot wrote: bruno modulix wrote: Julien Anguenot wrote: (snip) To sum up it's a matter of configuration. I'm afraid there's more to it than just a matter of configuration, cf below... I confirm. For having done the intranet of the Senegal

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Julien Anguenot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bruno modulix wrote: You'll find it on the cps-users list. I'm not a CPS expert[1] - and not even a Zope expert - but from what I saw, it seemed to imply more than only TALES expressions... [1] given the change pace and resulting lack of

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread bruno modulix
Julien Anguenot wrote: bruno modulix wrote: You'll find it on the cps-users list. I'm not a CPS expert[1] - and not even a Zope expert - but from what I saw, it seemed to imply more than only TALES expressions... [1] given the change pace and resulting lack of documentation, I guess only you

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Julien Anguenot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 bruno modulix wrote: Julien Anguenot wrote: bruno modulix wrote: You'll find it on the cps-users list. I'm not a CPS expert[1] - and not even a Zope expert - but from what I saw, it seemed to imply more than only TALES expressions... [1] given

Re: [Zope] Aquisition, UserFolder and security

2005-09-27 Thread Dieter Maurer
bruno modulix wrote at 2005-9-27 11:34 +0200: I have a little problem with aquisition and security. We have a project using multiple CPS instances (for those that don't know CPS, it's a CMF based groupware/CMS) running in the same Zope instance, and being siblings of each others [1]. One of these