[Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users

Ernie ernie@iss.nus.edu.sg
Fri, 15 Mar 2002 09:36:55 +0800


Hi Tres,

Indeed, I am using the default_workflow that comes with CMF 1.2 which I do not
believe is labelled DCWorkflow as reported in "portal_workflow --> contents"
(are they the same?). My problem is in fact less severe but more insidious: an
authenticated user (role: member) can actually view other members' private
objects (those newly created but not submitted for review); anonymous users
cannot view such objects.

I believe this has something to do with some permission setting issue at the
point of CMF object creation but upon checking the source for CMF 1.2 briefly, I
think this may have been fixed. Many of the discussions centred on this arose
during Dec 2001 before CMF 1.2 final release.

Is there a fix/patch I can apply?

Many thanks again -- cheers,ernie.





Tres Seaver <tseaver@zope.com> on 2002-03-14 08:20:17 AM

To:   Ernie Ong/ISS@ISS
cc:   zope-cmf@zope.org
Subject:  Re: [Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users



On Thu, 14 Mar 2002, Ernie wrote:

>
> I'm using Zope 2.5.0 with the Mar 2003 hotfix, CMF 1.2.
>
> For some reason, newly created objects which are still 'private' can be seen
by
> other ordinary members in the folder listing, and furthermore, viewed.
However,
> anonymous users will not see such resources in the folder listing.
>
> The permissions "access future/inactive portal content" are not checked for
> ordinary members.
>
> Any idea why this may be so?
>
> Thanks in advance -- cheers,ernie.

At a guess, you are also using DCWorkflow, from a version prior to
the most recent CVS (e.g., the 0.4.2 release).  It had this bug for
the "default" workflows.  As a workaround:

 - Visit the "private" state's "Security" tab, and uncheck the
   "View" and "Access contents information" permissions for the
   Anonymous role.

 - Likewise update the "pending" state.

 - On the "Workflows" tab of the workflow tool, click the "Update
   security settings" button;  this visits all workflowed content,
   adjusting the role-permission mappings, and recataloguing it.

If you aren't using DCWorkflow, please let us know.

Tres.
--
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.org


_______________________________________________
Zope-CMF maillist  -  Zope-CMF@zope.org
http://lists.zope.org/mailman/listinfo/zope-cmf

See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
requests