Florent Guillaume wrote: > bruno modulix wrote: > >> Dieter, I didn't misunderstood your proposed solution. But some users >> exist in different CPMs with different roles in each CPM. So - unless >> I'm totally at lost with how Zope's security works - if User1 has role >> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2, >> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url >> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in >> any CPM could gain access to any other CPM just by faking url. > > > As Tres mentionned, that should not be possible, as it's contrary to the > Zope Security Policy.
As I mentionned, I may *also* be completely at lost with the inners of Zope's escurity policy :-/ > Can you reproduce it within a blank CPS instance using standard CPS > products? If yes, could you explain the steps to reproduce it, and the > versions of CPS, CMF, Zope and python you use? What I observed is that, given 2 siblings CPS (cpsA and cpsB) instances with LDAPUserGroupsFolder, a user existing only in cpsA, once authenticated in cpsA, is still viewed as authenticated when accessing cpsB thru the cpsA/cpsb url. I don't have much time right now to investigate further, but I'll do ASAP and let you know if I find anything strange. -- Bruno Desthuilliers Développeur [EMAIL PROTECTED] _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )