[Zope-CMF] Securing CMF.

marc lindahl marc@bowery.com
Tue, 07 Aug 2001 15:59:47 -0400


I'm setting something up like that now...
I have everyone 'join' so they get their little member's area (why not??).
Then in the top level of the CMFSite put the Client1 Client2 etc folders.
As you outlined, (via ZMI) disable the Access Contents Info and View for all
(including inherit, of course)... then inside each folder (once the people
join) with CMF1.1 it's easy to assign people local roles....

I made a news_box type method to list top-level folders - only the ones you
have local permission this way for will show up.

I'll attach it at the bottom.

So, my question is, why create a folder called "Clients" separate from
Members?

> From: Shane Hathaway <shane@digicool.com>
> 
> Then I would create a folder called "Clients".  I would create a
> user-defined role called "Client" in the root of the site.  In the
> Clients folder I would disable at least the "Access Contents
> Information", "View", and (if you have it) "List Folder Contents"
> permissions for all roles but Manager and Client.  I would *not* give
> users the "Client" role directly.  Instead, for each client folder I
> would add local roles that map specific users to the Client role.
> 
> In other words, just use Zope security controls.  CMF tries hard to make
> sure they work like they always have.
> 


 <dtml-comment> links box for homepage</dtml-comment>


<table class="NewsItems" cellspacing="0" cellpadding="0" border="0"
width="100%">
  <tr>
   <td class="NewsBorder" width="1" rowspan="13" bgcolor="#6699CC">
    <img src="spacer.gif" alt=" "
         width="1" height="2" border="0"/>
   </td>
   <td valign="top" class="NewsTitle" width="100%">
     <b>Areas:</b>
   </td>
  </tr>


<dtml-in expr="contentValues(spec='Portal Folder')"
         sort="getId"  skip_unauthorized>
 <dtml-let obj="_.getitem('sequence-item', 0 )"
           folderish=isPrincipiaFolderish
           portalish="_.hasattr( obj, 'isPortalContent' )
                     and obj.isPortalContent"
           methodID="folderish and '' or ( portalish
                     and '/view' or '' )"
           getIcon="_.hasattr(obj, 'getIcon') and obj.getIcon()"
           icon="getIcon or _.getattr(obj, 'icon', '')"
 >
     <tr class="NewsItemRow">
      <td valign="top">
         <a href="&dtml-absolute_url;&dtml-methodID;"
           >&dtml-getId;<dtml-if title> (&dtml-title;)</dtml-if></a>
      </td>
     </tr>

 </dtml-let>
</dtml-in>

<tr class="NewsItemRow">
<td>
 <a href="&dtml-portal_url;"><b>Home</b></a>
</td>
</tr>

 </table>