[Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users
Dieter Maurer
dieter@handshake.de
Tue, 19 Mar 2002 22:40:55 +0100
ernie@iss.nus.edu.sg writes:
> ...
> 2. [Local roles grant more permission than specified]
> The problem with authenticated members seeing what they shouldn't may be
> related to local roles. I validated this by checking against a folder which
> does not have any special access requirements (i.e. all permissions are
> acquired). In this scenario, the hiding of 'Private' information works as
> expected. However, when I repeat this in a folder which I, as a 'Member',
> am granted a local role to 'View' and 'Access content information', both of
> which do not acquire their settings from the container, I can see any
> 'Private' objects created by anyone. This does not apply to folders I am
> not granted a local role.
Making objects private works by severely restricting the "View" and
"Access content information" permission mapping. When a local roles
grants a user the necessary roles, then he can see the objects.
Dieter