[Zope-CMF] Workflow/discussion tool related permissions problem

[John Morton]

On Friday 31 May 2002 17:25, John Morton wrote:
> I've been experimenting with dcworkflows, and in the process of testing a
> worklfow I've run into a permissions problem I can't seem to solve.
>
> The workflow starts in private and allows an owner to publish to a
> prepublish state where a pair of automatic transitions will either move it
> to visible, if the owner possesses the 'Validated Member' role, or to
> pending if they don't. That bit works nicely; my test case with a member
> without the 'Validated Member' role resulted in the object ending up in
> pending. From here, a member with the 'Editor' role should be able to chose
> to reject or approve the object, but here's the problem - that user can't
> access the object, because when they do, it throws an Unauthorized
> exception when trying to access here.talkback.hasReplies. The object owner
> has no such trouble.
>
> Owner and Editor roles both have access content information, modify and
> view permissions on the object in this state, and neither mask the replies
> related permission. As far as I can tell, from browsing the source, the
> discussions tool protects hasReplies and friends with View.

After a bit more fiddling, it seems to be a problem with the traverability of 
the talkback (DiscussionItemContainer) object. If I uncomment the line, 
'__roles__ = None' in the source, subsequently created objects have 
traversable talkback objects - but I'm not sure what security conseqences are 
created by doing this; obviously there are some or it wouldn't be commented 
out.

This is all happening in CMF-1.2. I'll test out a CVS checkout version 
tonight.

John