Can't edit CMF/Plone content if the creator is deleted
I don't know if this is a Zope, CMF, Plone or DCWorkflow issue, but I just got bitten by what appears to be a bug in someone's security handling. If you create some content as user A, then delete user A, no one can edit the content, or change it's ownership. I created a site as "manager" and created a bunch of content. Then I created the users that would actually be maintaining the content and deleted "manager" (It's far too easy to guess at). Suddenly, all updates started failing, and continued failing, untill I re-created the "manager" user. I have set the domain to 127.0.0.1 so the user can not log in, but I would really like to know if this is and intended security feature or a bug. Any input would be appreciated. Adrian...
On Fri, 11 Oct 2002, Adrian Hungate wrote:
I don't know if this is a Zope, CMF, Plone or DCWorkflow issue, but I just got bitten by what appears to be a bug in someone's security handling.
If you create some content as user A, then delete user A, no one can edit the content, or change it's ownership.
I suspect this is due to a Feature of the base Zope security. A user is only allowed to do things in the intersection of his privileges and those of the owner of the code being executed. Otherwise you have the same situation that having a '.' in your root path puts you in in unix. --RDM
Could you expand on what you mean by "content" ? Is it executable content (DTML, ZPT, python scripts)? Also what's the failure mode. Unauthorized? Traceback? Finally have you tried VerboseSecurity (if that applies)? Florent Adrian Hungate <adrian@haqa.co.uk> wrote:
I don't know if this is a Zope, CMF, Plone or DCWorkflow issue, but I just got bitten by what appears to be a bug in someone's security handling.
If you create some content as user A, then delete user A, no one can edit the content, or change it's ownership.
I created a site as "manager" and created a bunch of content. Then I created the users that would actually be maintaining the content and deleted "manager" (It's far too easy to guess at). Suddenly, all updates started failing, and continued failing, untill I re-created the "manager" user.
I have set the domain to 127.0.0.1 so the user can not log in, but I would really like to know if this is and intended security feature or a bug.
Any input would be appreciated. -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com
participants (3)
-
Adrian Hungate -
Florent Guillaume -
R. David Murray