Hi,
I may have got the wrong idea here so please correct me if I'm wrong...
If there are multiple themes created in a webtools site each one can have its own specific catalog and but connecting users to themes the catalog that that user sees when he logs in ( if the site requires login to view catalogs ) is defined.
I was under the impression that this functionality was a means of restricting the products that a user can view and buy.
Why, then when I login can I manipulate the URL query string to switch to another theme simply by editing the 'ServerId' parameter and hence see items which I may not be entitled to see.
( Obviously you have to know the theme ID you require but I can't accept that this is enough to secure the catalog from unauthorised use )
Maybe I don't understand the Base URL/ User Theme/ Catalog functionality correctly or I have missed an important setting somewhere?