[Zope] Re: Aquisition, UserFolder and security

bruno modulix bruno at modulix.org
Tue Oct 4 04:29:18 EDT 2005


Florent Guillaume wrote:
> bruno modulix wrote:
> 
>> Dieter, I didn't misunderstood your proposed solution. But some users
>> exist in different CPMs with different roles in each CPM. So - unless
>> I'm totally at lost with how Zope's security works - if User1 has role
>> RoleWithMuchPrivileges in Cpm1 and role RoleWithFewPrivileges in Cpm2,
>> he could gain RoleWithMuchPrivileges in Cpm2 just by using faked url
>> cpm1/cpm2/whatever_he_should_not_access_here. Worse, anyone existing in
>> any CPM could gain access to any other CPM just by faking url.
> 
> 
> As Tres mentionned, that should not be possible, as it's contrary to the
> Zope Security Policy.

As I mentionned, I may *also* be completely at lost with the inners of
Zope's escurity policy :-/

> Can you reproduce it within a blank CPS instance using standard CPS
> products? If yes, could you explain the steps to reproduce it, and the
> versions of CPS, CMF, Zope and python you use?

What I observed is that, given 2 siblings CPS (cpsA and cpsB) instances
with LDAPUserGroupsFolder, a user existing only in cpsA, once
authenticated in cpsA, is still viewed as authenticated when accessing
cpsB thru the cpsA/cpsb url. I don't have much time right now to
investigate further, but I'll do ASAP and let you know if I find
anything strange.


-- 
Bruno Desthuilliers
Développeur
bruno at modulix.org


More information about the Zope mailing list