[Zope-CMF] Secure filtering of content & workflow tool

Chris Withers chrisw@nipltd.com
Tue, 10 Jul 2001 22:10:35 +0100


Hi,

Just wondering why I could view content that hadn't been approved as an
anonymous user and then realised I'd taken the following chunk out of
standard_html_header:

<dtml-if "_.hasattr(this(),'isEffective') and not
isEffective( ZopeTime() )">
<dtml-unless "portal_membership.checkPermission('Request review',this())
           or portal_membership.checkPermission('Review portal
content',this())">
<dtml-var "RESPONSE.unauthorized()">
</dtml-unless>
</dtml-if>

I'm not using DCWorkflow yet but I thought the idea of a workflow tool was
to make this kind of permission check unnecessary?

...I just checked DefaultWorkflow in CMFDefault, and updateRoleMappingsFor
suggests that this content shouldn't be viewable, but it is!

Can anyone comment on this?

cheers,

Chris

(Oh yeah, also, is the Workflow tool going to handle all event notification,
etc? I asked about this w.r.t. the discussion tool earlier and Seb suggested
a workflow based solution. How feasible does that sound? If it's not, how
should I be doing it?)