[Zope-CMF] Why is this private page visible to anonymous?

Shane Hathaway shane@digicool.com
Mon, 11 Jun 2001 22:15:34 -0400


Brad Clements wrote:
> When I view
> 
> http://cmf.zope.org/doc/admin/CMF_configuration
> 
> It says "status:private" on the left.
> 
> I guess I don't understand all the possible "status" values, but the status "private"
> means to me that no one should be able to view it.

Until today, the default workflow was not very aggressive in setting
permissions.  It would only *enable* permissions, not *disable* them. 
That means that in order for privacy to be in effect, one of the
containing folders ('cmf.zope.org', 'doc', or 'admin') had to have the
"View" permission disabled for anonymous users.

But over the past few weeks I've come to the conclusion that that policy
is unintuitive and not expected.  Even cmf.zope.org wasn't doing it
correctly.  So I've modified the default workflow so that it both
enables and disables permissions.  There are slight side effects but
they can be dealt with.

With that change in effect, it's no longer necessary for member folders
to have special security settings, so I removed the permission mappings
set up for each member and wrote a short script people can use as an
external method to remove the permission mappings on existing member
folders.

I also added a button to the WorkflowTool that cleans up the security
settings of all portal content.

Shane