[Zope-CMF] trivial new portal folder type gives weird workflow/security behavior?

Florent Guillaume fg@nuxeo.com
Wed, 2 Oct 2002 17:09:16 +0200 

The only thing I can add is that, as Evan mentionned recently, that's
how the Zope security model works: if an object allows Anonymous View
access (for instance), it doesn't matter what permissions are set in the
parent, the Publisher will still allow View access to Anonymous to that
object. Even though unrestrictedTraverse may not allow access.

This means that workflows that apply to something else than leaf objects
will be problematic in any case... You'll have to deal with some
security "by hand".

Florent


In article <5C320946-D5D3-11D6-A698-000393580FEA@sol43.com> you write:
> Just an FYI.. I thought that this script was handling the problem, 
> but I'm still seeing issues with folders and workflow. If anyone 
> has anything to add. I'm sure Chris and I would appreciate it.
> 
> ~C
> 
> On Tuesday, October 1, 2002, at 09:01  AM, Carl Rendell wrote:
> 
> > After some additional testing. This modified content_status_modify 
> > script seems to do the trick on preventing anonymous users from 
> > accessing unpublished or not effective content within a folderish 
> > object that is published. Chris and others may want to do more 
> > testing as well.
> >
> > BTW, I was having some difficulty getting this to work until I 
> > reindexed the catalog.
> >
> > My final version of the content_status_modify script takes care of 
> > the reindexing of sub objects, and the '/view' issue.
> >
> > ## Script (Python) "content_status_modify"
> > ##parameters=workflow_action, comment=''
> > ##title=Modify the status of a content object
> >
> > context.portal_workflow.doActionFor(
> >     context,
> >     workflow_action,
> >     comment=comment)
> >
> > view = '/view'
> >
> > # added to allow for workflow controlled folders
> > if context.isPrincipiaFolderish:
> > 	view = ''
> > 	context.reindexObjectSecurity()
> >
> > if workflow_action == 'reject':
> > 	redirect_url = context.portal_url() + '/search?review_state=pending'
> > else:
> > 	redirect_url = '%s%s?%s' % ( context.absolute_url()
> > 		                       , view
> > 		                       , 'portal_status_message=Status+changed.'
> > 		                       )
> >
> > context.REQUEST[ 'RESPONSE' ].redirect( redirect_url )

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com