Jens Vagelpohl wrote: >> Each CPS instance has its own UserFolder. All users exists in the >> portal's UserFolder, but only exists in some CPMs UserFolders. Now the >> problem is that, due to acquisition, a member existing in the Portal but >> not in a given CPM can gain access to this CPM by faking the url - ie: >> going to mydomain.tld/portal/cpm instead of mydomain.tld/cpm. So we have >> a potential (err...) security hole here, that I would like to address >> ASAP. > > > A normal pattern to use here would be to have one central user folder > (e.g. at the root) and work with local roles in the sub-portals instead > of having several user folders.
I know, but I don't think it will possible here (this is an euphemism). The UserFolder is a LDAPUserGroupsFolder, users data are stored in a LDAP directory, with one branch for each CPS instance, and some user data and schema varying from one branch to another. We don't have the possibility to change this (it's part of a bigger system), and we don't have the time to rewrite a custom LDAPUserFolder that could accomodate this LDAP schema (this project was already very late when we took on it and we have a *very* tight deadline - I hate this situation, but I have to deal with it...). Any robust solution, as hackish as it may be, will be just fine, as long as we deliver on time. -- Bruno Desthuilliers Développeur [EMAIL PROTECTED] _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )