[Erp5-dev] owner in catalog and security
bartek
bartek at erp5.pl
Thu Aug 16 13:23:35 CEST 2007
Hello
I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query adds
a clause:
OR
(((catalog.owner = 'bartek')))))
This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see the
object in a listbox but can't access it. And there is no way to make it
disappear from the listbox.
But when I delete an object, the owner disappears from the catalog, so
security works as expected.
So, what is basically the idea of having the owner in catalog and using
it in every query? And can it be dropped, since we have a security
machinery for that, and there are cases where the two contradict?
Bartek
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
More information about the Erp5-dev
mailing list