[Zope-CMF] Re: cataloging of content inside workflowed containers

Tres Seaver tseaver at zope.com
Thu Jan 13 11:49:40 EST 2005


Sam Brauer wrote:

> Some time ago I found that the portal_catalog doesn't
> filter out of search results published objects that
> are inside private folders.   This doesn't come up in
> stock CMF since Portal Folders aren't workflowed, but
> it will come up if you assign them a workflow (or use
> Plone which workflows Folders by default).  
> 
> The end result is that anonymous users (or any users
> with limited permissions) can see search results which
> refer to objects that they do not have authorization
> to view, since the object is inside a folder that
> cannot be traversed into.

Zope 2's traversal machinery doesn't check access rights on the 
containers (by design), so I'm not sure your scenario is quite right 
here.  It is perfectly possible to view content which resides in a 
container you can't view.

> I wonder if other people have encountered this issue
> and how they have dealt with it.  I have tried to deal
> with it by monkey-patching
> CMFCore.CatalogTool.IndexableObjectWrapper.allowedRolesAndUsers
> such that it walks up the folder hierarchy until it
> reaches the site root and makes sure that the given
> role has permissions to "View" and "Access contents
> information" on each folder.  This seems to solve most
> of the problem, but doesn't address the possibility
> where container types may have effective and/or
> expiration dates.  
> 
> I tend to think it would be nice if the CMF would
> address this whole issue (including the
> effective/expiration twist), but I can also understand
> that this might be considered more of a policy issue.
> However, even if there is no one-size-fits-all
> solution, I would be curious to hear how anyone has
> dealt with this sort of issue...  or at least get some
> confirmation that I'm not the only person to encounter
> it.

You certainly aren't the only person to encounter the behavior.  The 
absence of a widely-acceptable policy for the implications of 
workflowing containers is the reason that CMF prevents the Folder type 
from being workflowed.

My gut reaction is that a site or application which workflows containers 
needs to enforce its own policy about the workflow for contents.  I can 
see several possible alternatives:

   - Status quo:  container workflow has no impact on the workflow state,
     visibility, or effective range of its contents.

   - "Pater familias":  container workflow supercedes / suppresses
     separate settings for its contents (note that subcontainers are
     problematic here, as they were in Roman law ;)  This policy is
     actually pretty sane for a content type like a collector issue
     (which actually wants to suppress even the cataloguing of at least
     some of its contents).

   - "Constraint satisfaction":  the container's visibility / effective
     range provide additional constraints on those of the children.

Note that the *correct* place to apply these policies is within the 
particular workflow(s) associated with the container;  the scripts 
driven by the workflow might use additional tools to do the heavy lifting.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



More information about the Zope-CMF mailing list