[Zope-CMF] Secure filtering of content & workflow tool
Tres Seaver
tseaver@palladion.com
Wed, 11 Jul 2001 07:36:34 -0400
Chris Withers wrote:
> Just wondering why I could view content that hadn't been approved as an
> anonymous user and then realised I'd taken the following chunk out of
> standard_html_header:
>
> <dtml-if "_.hasattr(this(),'isEffective') and not
> isEffective( ZopeTime() )">
> <dtml-unless "portal_membership.checkPermission('Request review',this())
> or portal_membership.checkPermission('Review portal
> content',this())">
> <dtml-var "RESPONSE.unauthorized()">
> </dtml-unless>
> </dtml-if>
>
> I'm not using DCWorkflow yet but I thought the idea of a workflow tool was
> to make this kind of permission check unnecessary?
This check doesn't involve workflow state at all; it enforces the
"effective range" of the content. Only the owner and those with
'Review portal content' permission are supposed to be able to view
a piece of content outside of its effective range, regardless of the
workflow state.
> ...I just checked DefaultWorkflow in CMFDefault, and updateRoleMappingsFor
> suggests that this content shouldn't be viewable, but it is!
I can't reproduce this on a stock CMF site; content which is private or
pending review can't be viewed by anonymous.
>
> Can anyone comment on this?
>
> cheers,
>
> Chris
>
> (Oh yeah, also, is the Workflow tool going to handle all event notification,
> etc? I asked about this w.r.t. the discussion tool earlier and Seb suggested
> a workflow based solution. How feasible does that sound? If it's not, how
> should I be doing it?)
The "event tool" proposal is a more general solution, likely to be
implemented
for the next release of CMF:
http://cmf.zope.org/rqmts/proposals/EventsTool
Tres.===============================================================
Tres Seaver tseaver@digicool.com
Digital Creations "Zope Dealers" http://www.zope.org