Dieter Maurer wrote: > bruno modulix wrote at 2005-9-29 13:20 +0200: > >>... >> >>>>The problem here is that CPS (the portal and all CPMs are CPS instances) >>>>uses predefined roles, on which the various workflows relies, so that >>>>would mean renaming all roles - differently - on each CPM, and modifying >>>>the workflows too. >>> >>> >>>I think that is would only be necessary that the roles >>>are disjoint between "Portal" and "CPM". All "CPM"s can use >>>the same roles. >> >>Nope. Some users may have different roles from CPM to CPM. > > > I did not say that the "user to role" mapping should (or even must) > be identical in all CPMs but that the *set* of roles *might* be identical > in all CPMs -- or to say it differently: that you are not forced > to use disjoint role sets for any pair of CPMs. > > Hopefully, you see the difference... >
Dieter, I didn't misunderstood your proposed solution. But some users exist in different CPMs with different roles in each CPM. So - unless I'm totally at lost with how Zope's security works - if User1 has role RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in any CPM could gain access to any other CPM just by faking url. See, it's not only a 'portal roles' vs 'CPMs roles' problem, it's a 'siblings CPS instances in the same Zope container with a same domain name' problem. Playing with roles and permissions aquisition settings and whatever is not the solution here IMHO. Detecting and correcting 'faked' urls would be simpler and better - and that's somehow the solution I applyed - even if in a somewhat hackish way. BTW I'm still looking for a "hands on" doc on traversal hooks, if there's such a thing... -- Bruno Desthuilliers Développeur [EMAIL PROTECTED] _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
