[Zope] Aquisition, UserFolder and security

[bruno modulix]

Julien Anguenot wrote:
> Hi Bruno,

Hi Julien,

> If you're using a central LDAP for all the instances you can restrict
> the access from the different instances using either
> LDAPUserGroupsFolder or CPSUserFolder.
> 
> Discrimination are done by LDAP branches (users or groups). If you can't
> control the LDAP and thus the way the branches are designed, for
> whatever reasons, then you can use CPSUserFolder and set the
> discrimination on the UF within each instance by setting custom CPS
> directories (which is what CPSUserFolder uses as proxy for
> authentication sources).
> 
> To sum up it's a matter of configuration.

I'm afraid there's more to it than just a matter of configuration, cf
below...

> We'll be glad to discuss your use case on cps-users list.

I've spent quite some time investigating the
CPSUserFolder/Metadirectories/Stackingdirectories/backingDirectories...
solution, and the final word (from Olivier Grisel, cf the cps-users ml)
was that some code concerning roles and groups management was not yet
fully implemented, so the whole thing couldn't work without patching and
merging parts of CPSDirectories - which was a definitive no-no for us.

I don't know if this has been fixed in 3.3.6, but anyway, this part of
our project is supposed to be already working (and mostly does, except
for this security problem), and we can't afford to come back on it, as
it would delay delivery by at least one week - which is also not an
option. But thanks anyway...

-- 
Bruno Desthuilliers
Développeur
bruno at modulix.org