[Zope] owner security assertions

[kosh@aesaeion.com]

On Wed, 15 May 2002, Florent Guillaume wrote:

> <kosh@aesaeion.com> wrote:
> > What would be the correct set of permissions and security assertions I
> > need in order to make it so that in addition to manager only the owner of
> > that object can edit it. It seems if I just gives the permissions I want
> > to the owner role that doesn't work.
>
> It should work. Owner is a local role given by ObjectManager to the user
> at object creation time. Check that in the Security/Local Roles tab.
>

Their username is listed as the owner of the object however it seems they
can't do what an owner should be able to do when they login. If I give
them the global role of owner thent they should. So for some reason they
are not getting assigned the local role of owner.

> How do you create you objects ?

With a python script. I have it create one of the object with a default
profile as a manager and then change the objects ownership which all seems
to work just fine.

>
> > If I assign someone to the role of owner they can do stuff in all of
> > the documents which is not what I want.
>
> Indeed. Nobody should have a global Owner role.
>
> > I had thought that owner was a role you got automatically on an object if
> > you where its owner.
>
> You get it when you create the object, so in effect what you say is true
> event if the mechanism is different. For instance if someone "takes
> ownership" of an object it doesn't change the Owner local role.
>

However shouldn't you have the owner role everytime you access the object
also if you are authenticated?