[Zope-CMF] private docs shown to other members, pending shown to anonymous

Lynn Walton waltonl@franklin.edu
Thu, 27 Dec 2001 16:20:08 -0600


I've got Zope 2.4.3 , CMF 1.1 cvs release from around Oct 28th.

If I create a CMFDefault Document and leave it private, then enter my
site as an anonymous user and use the URL for that document, I'll get
redirected to the login_form.  Then if I enter any valid member name &
password (even though it's not the owner of that private document) it
will let me see it.    This happens using the default workflow that
comes with CMF1.1

What's worse is that if the owner uses submit to put it in the pending
state, it then becomes viewable by the Anonymous user.

The documents status is getting set properly to "private", or "pending",
etc.

I first noticed this problem when trying to use a custom DCWorkflow on
one of our custom objects.  I'm using a DCWorkflow  that is based on the
classic workflow and I only altered it one way - to have it use run a
script that emails me after the user does a submit.  This is custom
dcworkflow is ONLY used for ONE of my custom objects, NOT the rest of
the CMFDefault stuff.
But it has the same behavior as described above.

When I experienced this, is when I went to see if I got the same
behavior with CMFDefault.Documents that are using the default workflow
and I did.

I haven't done anything to change the normal permissions or roles that I
think would be affecting this. I created two roles besides the default
ones, but I didn't change what permissions are available to any of the
default roles.

I searched the archives and the only other time I've seen complaints
about this were when people had added permissions to "Member" (like
Review Content) which I haven't done, or had written there own
DCWorkflows that might have problems. Since I think mine is a pretty
standard setup, I'm surprised no one else has reported this.   Any
ideas?

Thanks,
Lynn