On the Contenido 4.3.1 beta WAMP incl. demo datebase.
Defining a new site exposes security problems using the group administration.
1) Log onto the backend using the "sysadmin" user.
2) Define a new "Mandanten". Name it "Kunde 2"
3) Define a language "deutch" under "Kunde 2"
4) Define a group "Authoren" and give the group access to both "Kunde" and "Kunde 2".
Remember that the standard user "admin" is defined to have administrator access ONLY to the standard site "Kunde".
Now log in as "admin" and go to " Administation | Gruppen " and click on the group "Authoren".
On the page "Eigenschaften" is it as expected only possible to access options regarding "Kunde". But on the pages "Mitglieder", "Bereiche", "Layout", "Content", "Module", "Template" and "Kategorie" the "Kunde" limited user "admin" can still modify the group settings on other "Mandanten".
In case of the "Mitglieder" i'm not sure if the limited administrator "admin" should have access to assign og deassign users, since the group defines cross-"Mandanten" access. This poses a design problem, because surely you would expect the administrator to be able to assign users to the group, but this assignmen should only affect the users access on the current "Mandanten". I would expect this to be a design issue not easily avoided.
Ojo