[Erp5-dev] owner in catalog and security

bartek bartek at erp5.pl
Thu Aug 16 15:14:50 CEST 2007 

Jérome Perrin wrote:
> bartek a écrit :
>> Hello
>>
>> I noticed that for most objects the user who created it is recorded in 
>> catalog table as 'owner', and portal_catalog when composing a query 
>> adds a clause:
>>
>> OR
>> (((catalog.owner = 'bartek')))))
>>
>> This caused a problem for me: I took all permissions to an object I 
>> created away from me, but portal_catalog still returns it, so I see 
>> the object in a listbox but can't access it. And there is no way to 
>> make it disappear from the listbox.
> 
> Hello,
> 
> This "owner" column is catalogued with the result of 
> getViewPermissionOwner method (you can see it in 
> portal_catalog/erp5_mysql_innodb/z_catalog_object_list).
> 
> This method docstring is :
>   def getViewPermissionOwner(self):
>     """
>       Returns the user ID of the owner if Owner role
>       has View permission. Returns None else.
>     """
> 
> So if you don't have "View" permission on this document, this method 
> should return None, and the owner column should be NULL.
> 
> Maybe you used the ZMI to remove permissions; this does not reindex the 
> object. In that case, try to manually reindex this document, it should 
> be OK.

I think I see where the problem comes from: Owner role has View 
permission, yes, but I don't have this role, somebody else has it. So 
the problem with getViewPermissionOwner is that if Owner role has View 
permission it returns the user who created the object, NOT the user who 
currently has the Owner local role.

The use case is the following: the object in question is a document 
which has been ingested by email. The 'creator', and initial owner, of 
the doc is the user used by mailin script to log into zope; but as the 
doc was sent by someone else, the ingestion script adjusted Owner local 
role accordingly. The getViewPermissionOwner function apparently does 
not provide for such situation.

B.

> 
>> But when I delete an object, the owner disappears from the catalog, so 
>> security works as expected.
>>
>> So, what is basically the idea of having the owner in catalog and 
>> using it in every query? And can it be dropped, since we have a 
>> security machinery for that,
> 
> I think it was for performance, but I'm not sure.
> 
>> and there are cases where the two contradict?
> 
> As this "owner" is actually "owner with view permission or nothing", 
> they should not contradict.
> 
> Jérome
> _______________________________________________
> Erp5-dev mailing list
> Erp5-dev at erp5.org
> http://erp5.org/mailman/listinfo/erp5-dev
> 


-- 
"feelings affect productivity. (...) unhappy people write worse 
software, and less of it."
Karl Fogel, "Producing Open Source Software"

More information about the Erp5-dev mailing list