Each CPS instance has its own UserFolder. All users exists in the
portal's UserFolder, but only exists in some CPMs UserFolders. Now the
problem is that, due to acquisition, a member existing in the Portal but
not in a given CPM can gain access to this CPM by faking the url - ie:
going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we have a potential (err...) security hole here, that I would like to address ASAP.

A normal pattern to use here would be to have one central user folder (e.g. at the root) and work with local roles in the sub-portals instead of having several user folders.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to