[Zope-CMF] Securing CMF.

[Shane Hathaway]

"Jason C. Leach" wrote:
> I like CMF, and we might have a use for it as a client portal on our
> web site. But I need to be able to secure it so that each clients
> account is not accesable/searchable to any other client. There will
> be a public folder in each clients site, but nothing else should be
> available (not even a client listing).
> 
> Can this be easily done?

First, you can either assume that a "client" is a set of users or one
user.  I would make the assumption that a client is a set of users. 
With that in mind, it would make sense to create a new folder for each
client independent of member folders.

Then I would create a folder called "Clients".  I would create a
user-defined role called "Client" in the root of the site.  In the
Clients folder I would disable at least the "Access Contents
Information", "View", and (if you have it) "List Folder Contents"
permissions for all roles but Manager and Client.  I would *not* give
users the "Client" role directly.  Instead, for each client folder I
would add local roles that map specific users to the Client role.

In other words, just use Zope security controls.  CMF tries hard to make
sure they work like they always have.

Shane