[Erp5-dev] owner in catalog and security
Jérome Perrin
jerome at nexedi.com
Thu Aug 16 14:59:54 CEST 2007
bartek a écrit :
> Hello
>
> I noticed that for most objects the user who created it is recorded in
> catalog table as 'owner', and portal_catalog when composing a query adds
> a clause:
>
> OR
> (((catalog.owner = 'bartek')))))
>
> This caused a problem for me: I took all permissions to an object I
> created away from me, but portal_catalog still returns it, so I see the
> object in a listbox but can't access it. And there is no way to make it
> disappear from the listbox.
Hello,
This "owner" column is catalogued with the result of
getViewPermissionOwner method (you can see it in
portal_catalog/erp5_mysql_innodb/z_catalog_object_list).
This method docstring is :
def getViewPermissionOwner(self):
"""
Returns the user ID of the owner if Owner role
has View permission. Returns None else.
"""
So if you don't have "View" permission on this document, this method
should return None, and the owner column should be NULL.
Maybe you used the ZMI to remove permissions; this does not reindex the
object. In that case, try to manually reindex this document, it should
be OK.
> But when I delete an object, the owner disappears from the catalog, so
> security works as expected.
>
> So, what is basically the idea of having the owner in catalog and using
> it in every query? And can it be dropped, since we have a security
> machinery for that,
I think it was for performance, but I'm not sure.
> and there are cases where the two contradict?
As this "owner" is actually "owner with view permission or nothing",
they should not contradict.
Jérome
More information about the Erp5-dev
mailing list