Florent Guillaume wrote:
> bruno modulix wrote:
>> Dieter, I didn't misunderstood your proposed solution. But some users
>> exist in different CPMs with different roles in each CPM. So - unless
>> I'm totally at lost with how Zope's security works - if User1 has role
>> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
>> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
>> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
>> any CPM could gain access to any other CPM just by faking url.
> As Tres mentionned, that should not be possible, as it's contrary to the
> Zope Security Policy.

As I mentionned, I may *also* be completely at lost with the inners of
Zope's escurity policy :-/

> Can you reproduce it within a blank CPS instance using standard CPS
> products? If yes, could you explain the steps to reproduce it, and the
> versions of CPS, CMF, Zope and python you use?

What I observed is that, given 2 siblings CPS (cpsA and cpsB) instances
with LDAPUserGroupsFolder, a user existing only in cpsA, once
authenticated in cpsA, is still viewed as authenticated when accessing
cpsB thru the cpsA/cpsb url. I don't have much time right now to
investigate further, but I'll do ASAP and let you know if I find
anything strange.

Bruno Desthuilliers
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to