bruno modulix wrote:
Dieter, I didn't misunderstood your proposed solution. But some users
exist in different CPMs with different roles in each CPM. So - unless
I'm totally at lost with how Zope's security works - if User1 has role
RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
any CPM could gain access to any other CPM just by faking url.
As Tres mentionned, that should not be possible, as it's contrary to the
Zope Security Policy.
Can you reproduce it within a blank CPS instance using standard CPS
products? If yes, could you explain the steps to reproduce it, and the
versions of CPS, CMF, Zope and python you use?
Florent
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
