[Erp5-dev] owner in catalog and security

bartek bartek at erp5.pl
Thu Aug 16 18:01:45 CEST 2007 

Jérome Perrin wrote:
> bartek a écrit :
>> I think I see where the problem comes from: Owner role has View 
>> permission, yes, but I don't have this role, somebody else has it. So 
>> the problem with getViewPermissionOwner is that if Owner role has View 
>> permission it returns the user who created the object, NOT the user 
>> who currently has the Owner local role.
> 
> Yes, being the owner and having an Owner local role in zope is different 
> things. So this method does not support the case where the owner does 
> not have an Owner local role.
> Maybe we should simply check that the owner has the view permission, 
> like in this attached patch ?

I applied the patch, reindexed, and everything is fine. Thanks. Will you 
commit it?

B.

> 
>> The use case is the following: the object in question is a document 
>> which has been ingested by email. The 'creator', and initial owner, of 
>> the doc is the user used by mailin script to log into zope; but as the 
>> doc was sent by someone else, the ingestion script adjusted Owner 
>> local role accordingly. The getViewPermissionOwner function apparently 
>> does not provide for such situation.
> 
> I see, for this, maybe you should use "changeOwnership" method from this 
> script (from AccessControl/Owned.py) .
> 
> Jérome
> 
> 
> ------------------------------------------------------------------------
> 
> Index: Base.py
> ===================================================================
> --- Base.py	(rĂŠvision 15661)
> +++ Base.py	(copie de travail)
> @@ -1435,10 +1435,9 @@
>        Returns the user ID of the owner if Owner role
>        has View permission. Returns None else.
>      """
> -    path, user_id = self.getOwnerTuple()
> -    if 'Owner' in rolesForPermissionOn(Permissions.View, self):
> -      path, user_id = self.getOwnerTuple()
> -      return user_id
> +    owner = self.getWrappedOwner()
> +    if owner is not None and owner.has_permission(Permissions.View, self):
> +      return str(owner)
>      return None
>  
>    # Private accessors for the implementation of relations based on
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Erp5-dev mailing list
> Erp5-dev at erp5.org
> http://erp5.org/mailman/listinfo/erp5-dev


-- 
"feelings affect productivity. (...) unhappy people write worse 
software, and less of it."
Karl Fogel, "Producing Open Source Software"

More information about the Erp5-dev mailing list