Hi Hanno, just a simple workaround: I remember there is a way to mark URL's/ID's as forbidden for creation. So create your portals first and then mark these IDs as reserved inside the portals. When using uncommon UUID i.e. as portal id this should work in 99,9... situations. And if you get a hit it results in an error.
I had similar stuff after my initials are the same as my userid as my company short name. To avoid this I usually add prefix or suffixes. UPDATE: To implement this in Plone: Set an option by default that automatically adds the IDs of folderish (or Plone Site) objects at the Zope root to invalid ID's. This is maybe not the cleanest way, but it may be a serious issue not to solve this security risk even with a quick hack. Armin Am 29.09.2010 um 16:55 schrieb Hanno Schulz: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello > > I am looking for a solution to restrict access between plone portals > on the same > zope server. > > The Problem: > Zope Root > / > |- Portal A > |- Portal B > > When you call server/Portal B/somefolder/Portal A/ you get the > content from > Portal A instead an error page (for example 404). > I know it's the "normal" zope acquistion :( But is there a way to stop > traversing at the plone portal root? > > Thanks > Hanno Schulz > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJMo1NFAAoJEGMseF/RWBlbsOYH/j+Lyrx9GKEJIm+rL+U4Gt3e > GdSSzaJIIa//9JXbrmLUHWzoVvohQK6HrxAmSfqe+3EDcPCWDAdPNvHEnTKV/RLe > 5XPeqJKUCUmGttsXWGsbza3Iz4B3nOQOxHK7v94BQEdDQGY//RNsL3p1FVKIqVFk > c8SrMkEwNSnAeHqxNw5T2v6M4PkRQoY16HyJNf1F/5gQ+AuU6PP9WyB02KSUrxyT > reaY4wuRVWJH17cu/ycidZ8MrpS4OPBlVlvzpPjMIZkk6D3RzsTHag5ktN1poTqy > 9DGpftKnHobEdIOaPp5PD41Kc8kRZ9AFOYd5cEons1uFBVOCiFb1uJ7tw9mUPNQ= > =Y5Tw > -----END PGP SIGNATURE----- > - > Diese Information ist ausschliesslich fuer den Adressaten bestimmt > und kann > vertraulich oder gesetzlich geschuetzte Informationen enthalten. > Wenn Sie nicht > der bestimmungsgemaesse Adressat sind, unterrichten Sie bitte den > Absender und > vernichten Sie diese Mail. > Anderen als dem bestimmungsgemaessen Adressaten ist es untersagt, > diese E-Mail > weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu > verwenden. Wir > verwenden aktuelle Virenschutzprogramme und Content-Filter. > Fuer Schaeden, die dem Empfaenger gleichwohl durch von uns > zugesandte mit Viren > befallene E-Mails entstehen, schliessen wir jede Haftung aus. > - > This e-mail and any attachments is confidential and solely intended > for the > indicated addressee. If you are not the intended recipient or an > authorized > person, please note, that any form of notice, disclosure, > reproduction or > circulation of the contents of this mail is prohibited. In this > case, please > immediately inform the sender of the e-mail an destroy this e-mail. > We use > updated antivirus protection software. We do not accept any > responsibility for > damages caused anyhow by viruses. > - > catWorkX GmbH: Sitz der Gesellschaft in Hamburg, HRB: 71494, USt- > IdNr.: > DE201625856, Geschaeftsfuehrung: Dipl. Kfm. Andreas Girnuweit, Dipl.- > Ing. Oliver > Groht, Dr. Wolfgang Tank > _______________________________________________ > Product-Developers mailing list > [email protected] > http://lists.plone.org/mailman/listinfo/product-developers _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
