[Erp5-dev] owner in catalog and security
Jérome Perrin
jerome at nexedi.com
Thu Aug 16 15:29:21 CEST 2007
bartek a écrit :
> I think I see where the problem comes from: Owner role has View
> permission, yes, but I don't have this role, somebody else has it. So
> the problem with getViewPermissionOwner is that if Owner role has View
> permission it returns the user who created the object, NOT the user who
> currently has the Owner local role.
Yes, being the owner and having an Owner local role in zope is different
things. So this method does not support the case where the owner does
not have an Owner local role.
Maybe we should simply check that the owner has the view permission,
like in this attached patch ?
> The use case is the following: the object in question is a document
> which has been ingested by email. The 'creator', and initial owner, of
> the doc is the user used by mailin script to log into zope; but as the
> doc was sent by someone else, the ingestion script adjusted Owner local
> role accordingly. The getViewPermissionOwner function apparently does
> not provide for such situation.
I see, for this, maybe you should use "changeOwnership" method from this
script (from AccessControl/Owned.py) .
Jérome
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Base.getViewPermissionOwner.diff
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20070816/51089cb7/attachment.txt>
More information about the Erp5-dev
mailing list