[opencms-dev] Multitenant configuration
Alessandro Magnolo
alessandro.magnolo at gmail.com
Wed Dec 5 17:06:49 CET 2012
Hello Tobias.
Opencms version is 8.5.0.
I have two OUs; each of them have a project within a dedicated folder.
If I login with an OU user, in the workplace I can see both his OU
folder and the other OU folder, and their contents. I can upload a
file in the OU folder but can't upload files in the other OU folder,
the upload button is grayed out (this is correct).
If a open a structured content document for edit, in the VfsFileWidget
I can browse to the other OU folder and link to a file there (this is
what the original poster was talking about and should be avoided).
While I'm browsing the other OU folder, I can click the "upload"
button and upload a file. The file gets stored in the folder where in
theory I sould be forbidden to write (the one where the upload button
is grayed out in the workspace).
The structured document element is defined as:
<xsd:element name="VariableLink" type="OpenCmsVfsFile" minOccurs="1" />
With the layout:
<layout element="VariableLink" widget="VfsFileWidget"
configuration="hidesiteselector|projectaware" />
I didn't set a "startsite" configuration because the same XSD is to be
used by two (or more) OUs, and each of them should have a different
startsite. By the way, is there a way to set a different startsite?
I hope you have enough information to reproduce the bug; tell me if
you need further assistance.
Regards,
Alessandro Magnolo
On Wed, Dec 5, 2012 at 3:46 PM, Tobias Herrmann <t.herrmann at alkacon.com> wrote:
> Hi Alessandro,
>
> this should not be possible.
> Please state which OpenCms version you are using and how you have set up
> your permissions.
> We would like to verify the issue and fix it, if it is a bug.
>
> Greetings, Tobias
>
> --
>
> Alkacon Software GmbH - The OpenCms Experts
>
> http://www.alkacon.com
> http://www.opencms.org
>
> Am 05.12.2012 15:35, schrieb Alessandro Magnolo:
>
>> It gets worse: if you use the DownloadGalleryWidget layout widget, a
>> user can write in any folder of the entire opencms installation, even
>> in folders where he can't write using the workplace (AKA Explorer
>> view).
>>
>> In other words, the DownloadGalleryWidget bypasses the permission
>> checks on the VFS, that normally don't allow an OU user to write in
>> other OUs folders. This is extremely dangerous.
>>
>>
>> Alessandro Magnolo
>>
>>
>> On Wed, Dec 5, 2012 at 11:53 AM, Kunicke, Holger
>> <holger.kunicke at av-studio.de> wrote:
>>>
>>> Hello List,
>>>
>>> does everybody knows a possibility to restrict the automatism of an
>>> "OpenCmsVfsFile" field, which transforms absolute into relative URLs, to
>>> an
>>> OU or deactivate this completely?
>>>
>>> My reason for this question is:
>>> We have more clients in one CMS and the probability is given that our
>>> clients creates links between them.
>>>
>>> Regards
>>> Holger
>>>
>>> _______________________________________________
>>> This mail is sent to you from the opencms-dev mailing list
>>> To change your list options, or to unsubscribe from the list, please
>>> visit
>>> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
>>>
>>>
>>>
>>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please visit
>> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
>>
>>
>>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
>
>
>
More information about the opencms-dev
mailing list