[Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users

ernie@iss.nus.edu.sg ernie@iss.nus.edu.sg
Wed, 20 Mar 2002 09:31:31 +0800


Hi Dieter,

Many thanks for the pointers. What I was hoping for was for CMF to
collaborate with Zope to hide some of these private objects.

This works correctly for a folder that does not have local roles defined
(i.e. private objects are indeed hidden and inaccessible) but if I am
granted even basic permissions in a local roles enabled folder (i.e. the
"View" and "Access content info" are no acquired, and granted explicitly),
then all CMF private objects are visible.

Is my assumption that CMF should have collaborated with Zope to hide / make
inaccessible such objects flawed? If so, I will have to use the Zope
management interface to explicitly restrict the above permissions which
will work but a little inconvenient.

Context of usage: I was a little concerned about this as I was using CMF to
distribute workshop solutions to students in a protected folder in which I
explicitly grant local role access. When I checked, and I'm glad I did, I
could see all these unpublished, private objects as a student.

I've duplicated this at least one other time on a separate system, this
time running CMF 1.2 but on Zope 2.4.3.

Many thanks to Florent Guillaume too - I'll look into the portal_workflow /
Link association too.

cheers,
ernie.





Dieter Maurer <dieter@handshake.de> on 2002-03-19 04:40:55 PM

To:   ernie@iss.nus.edu.sg
cc:   Tres Seaver <tseaver@zope.com>, CMF List <zope-cmf@zope.org>
Subject:  Re: [Zope-CMF] CMF 1.2: 'private' objects visible to 'Member'
      users


ernie@iss.nus.edu.sg writes:
 > ...
 > 2. [Local roles grant more permission than specified]
 > The problem with authenticated members seeing what they shouldn't may be
 > related to local roles. I validated this by checking against a folder
which
 > does not have any special access requirements (i.e. all permissions are
 > acquired). In this scenario, the hiding of 'Private' information works
as
 > expected. However, when I repeat this in a folder which I, as a
'Member',
 > am granted a local role to 'View' and 'Access content information', both
of
 > which do not acquire their settings from the container, I can see any
 > 'Private' objects created by anyone. This does not apply to folders I am
 > not granted a local role.
Making objects private works by severely restricting the "View" and
"Access content information" permission mapping. When a local roles
grants a user the necessary roles, then he can see the objects.


Dieter