[Zope-CMF] private docs shown to other members, pending shown

Lynn Walton waltonl@franklin.edu
Fri, 28 Dec 2001 12:08:32 -0600 

> From: Kari-Hans Kommonen <khk@uiah.fi>
>
> I tried to describe the same situation previously, but I thought that
> there must be something wrong with our setup, so I did not explain it
> this way or call it a bug... in all our CMF sites, "private"
> documents seem to be available to all members if they discover the
> URL.

khk,
Well, it seems like a bug to me.  Although you can confirm private things being seen by
Members, can you also confirm whether pending things can be seen by all?


> From: marc lindahl <marc@bowery.com>
>
> Take a look at the permissions made by your custom workflow, and take a look
> at the permissions of the folder (tree) where your created documents are.  I
> find that the default workflow is a little odd, and can easily give you that
> behavior.  I'd recommend really analyzing your requirements and creating
> your own workflows that interact as you desire with your folder permissions.

Marc,
Well, although it might be a good idea,  I don't have time right now to learn enough to
write my own workflows.
When you say "take a look at the permissions made by your custom workflow" I'm saying I
didn't make a
custom workflow. I have this same behavior with the CMF's default workflow, and with
the DCWorkflow products
"Web-configurable workflow [Classic]".

Am I wrong to understand that those two provided workflows are supposed to 1) have
private only visible to owner and manager  and 2) have pending only visible to owner,
manager and reviewer?

I looked at my folder permissions and they all have acquire permissions ... and I don't
have any changes I made hire up the tree that would have added more permissions for
Anonymous or Member.  I even tried taking acquire permissions off of one of my
subfolders where I have both private and pending things which are getting viewed by
roles that shouldn't be getting to view them, and specifically checking that only
manager and owner could  access future portal content , and access inactive portal
content, and review portal content .... but it made no difference.   So I'm not sure
what other permissions would even be coming into play here?

To All,
Can more people out there verify if this same behavior happens to them with CMF1.1?
Tres, can you comment on whether I'm understanding this wrong or whether there is a bug
in this respect?

Thanks,
Lynn