Plone site workflow is set to intranet. Users can log to plone, but when bad credentials are given (or user does not have permission) plone opens the zmi login (falls back to zmi login). We want to change this so the users that are not presented the zmi login or are redirected to another url.
We still want the management to be able to login with zmi. (This is important)
I'm curious what the "zmi login" looks like... the BASIC auth form that you get when you go to /manage_main? It's certainly strange that a Plone site would be sending you to anything other than the /login_form
Plone 5. I have CAS enabled. So after CAS log in if the user does not have permissions it will fall back to zmi login. It could be the basic auth like you said. I know how to disable it, but if I disable it then the admins cannot get to ZMI. So is there another way for admins to get to zmi without this basic auth or is there a way to send people to a url rather than falling back on basic auth to zmi if users don't have permissions?
Falling back to "higher level" user folders is normal Zope behaviour. Likely, the easiest solution for your case would be that those "higher level" user folders can authenticate only your admin users. If necessary, use CAS for those user folders as well.
The problem is not CAS. It is zope related. Zope sends a 401 error when plone user is authenticated but not have enough permissions, hence the login dialog box. Apache doesn't see the 401 error, that's why I cannot change the headers in apache. Is there way to change the headers in Zope conf? (401 to 403?)