[Zope-CMF] private docs shown to other members, pending shown

[Jeffrey P Shell]

On Friday, December 28, 2001, at 11:08  AM, Lynn Walton wrote:

>> From: Kari-Hans Kommonen <khk@uiah.fi>
>>
>> I tried to describe the same situation previously, but I thought that
>> there must be something wrong with our setup, so I did not explain it
>> this way or call it a bug... in all our CMF sites, "private"
>> documents seem to be available to all members if they discover the
>> URL.
>
> khk,
> Well, it seems like a bug to me.  Although you can confirm private 
> things being seen by
> Members, can you also confirm whether pending things can be seen 
> by all?

This might be due to a bug in how CMF Content objects are 
instantiated, as outlined in CMF Tracker issue 410 [1].  Basically, 
when an object is instantiated, 'manage_afterAdd()' is called.  And 
the default behavior for manage_afterAdd() for portal content based 
objects is to notify the workflow tool that they've been created.

The problem with this is that 'manage_afterAdd()' is called 
*before* the Dynamic Type information is set, which is how an 
object gets associated with a particular workflow.  As a result, 
the workflow 'notifyCreated()' call may be sent to the wrong 
workflow agent (definition).

It's in the 'notifyCreated()' call that a workflow definition has 
the opportunity to put an object into its initial state, and thus 
set up the correct initial permissions.  But if this call is never 
made, an object might report that it's in the 'Private' state, but 
it hasn't actually been put into that state (the reason it's 
reporting that it's in the Private state is because the workflow 
definition returns that value if it can't find any proper status 
information on the object).

..[1] http://www.zope.org/Products/PTK/Tracker/410/1

Jeffrey P Shell, jeffrey@cuemedia.com