Each CPS instance has its own UserFolder. All users exists in the
portal's UserFolder, but only exists in some CPMs UserFolders. Now the
problem is that, due to acquisition, a member existing in the
Portal but
not in a given CPM can gain access to this CPM by faking the url - ie:
going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we
have
a potential (err...) security hole here, that I would like to
address ASAP.
A normal pattern to use here would be to have one central user folder
(e.g. at the root) and work with local roles in the sub-portals
instead of having several user folders.
jens
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )