[Zope-CMF] cataloging of content inside workflowed containers

[Sam Brauer]

Some time ago I found that the portal_catalog doesn't
filter out of search results published objects that
are inside private folders.   This doesn't come up in
stock CMF since Portal Folders aren't workflowed, but
it will come up if you assign them a workflow (or use
Plone which workflows Folders by default).  

The end result is that anonymous users (or any users
with limited permissions) can see search results which
refer to objects that they do not have authorization
to view, since the object is inside a folder that
cannot be traversed into.  

I wonder if other people have encountered this issue
and how they have dealt with it.  I have tried to deal
with it by monkey-patching
CMFCore.CatalogTool.IndexableObjectWrapper.allowedRolesAndUsers
such that it walks up the folder hierarchy until it
reaches the site root and makes sure that the given
role has permissions to "View" and "Access contents
information" on each folder.  This seems to solve most
of the problem, but doesn't address the possibility
where container types may have effective and/or
expiration dates.  

I tend to think it would be nice if the CMF would
address this whole issue (including the
effective/expiration twist), but I can also understand
that this might be considered more of a policy issue.
However, even if there is no one-size-fits-all
solution, I would be curious to hear how anyone has
dealt with this sort of issue...  or at least get some
confirmation that I'm not the only person to encounter
it.

Many thanks,
- Sam Brauer




		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail