[Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users

ernie@iss.nus.edu.sg ernie@iss.nus.edu.sg
Tue, 19 Mar 2002 10:30:28 +0800 

Hi Tres,

Many thanks for your hints. I've been digging a little deeper and have
since arrived at the conclusion that I'm facing two separate problems.

1. [CMF is 'sensitive' to some object types]
When I login as a 'Member' who can 'Add portal content', I observe some
weird behaviour. When I add 'Document' or 'File' objects, I see these and
they are listed as 'Private' (as they should be). However, when I add
'Link' objects, only the 'Manager' or more privileged user can see these.
I, as the creator, cannot see these private 'Link' objects I have created.

2. [Local roles grant more permission than specified]
The problem with authenticated members seeing what they shouldn't may be
related to local roles. I validated this by checking against a folder which
does not have any special access requirements (i.e. all permissions are
acquired). In this scenario, the hiding of 'Private' information works as
expected. However, when I repeat this in a folder which I, as a 'Member',
am granted a local role to 'View' and 'Access content information', both of
which do not acquire their settings from the container, I can see any
'Private' objects created by anyone. This does not apply to folders I am
not granted a local role.

It therefore appears that the default workflow is working. BTW, my problem
is not related to the 'Members' folder issue as these occur in the normal
portal space.

I also wonder whether this phenomenon may be due to some silly security
setting I've got though I still suspect a bug being more likely. Are there
any security verification points I should also look into?

Many thanks -- cheers,ernie.





Tres Seaver <tseaver@zope.com> on 2002-03-15 07:03:24 AM

To:   Ernie Ong/ISS@ISS
cc:   CMF List <zope-cmf@zope.org>
Subject:  Re: [Zope-CMF] CMF 1.2: 'private' objects visible to 'Member'
       users



Ernie wrote:
> Hi Tres,
>
> Indeed, I am using the default_workflow that comes with CMF 1.2 which I
do not
> believe is labelled DCWorkflow as reported in "portal_workflow -->
contents"
> (are they the same?). My problem is in fact less severe but more
insidious: an
> authenticated user (role: member) can actually view other members'
private
> objects (those newly created but not submitted for review); anonymous
users
> cannot view such objects.
>
> I believe this has something to do with some permission setting issue at
the
> point of CMF object creation but upon checking the source for CMF 1.2
briefly, I
> think this may have been fixed. Many of the discussions centred on this
arose
> during Dec 2001 before CMF 1.2 final release.
>
> Is there a fix/patch I can apply?
>
> Many thanks again -- cheers,ernie.

The bug you are reporting may be "homepage doesnt participate in
workflow",
  http://www.zope.org/Products/PTK/Tracker/467

Is it only the 'index_html' in the member folder which has this
problem, and not other "private" content which members create?
I can reproduce that behavior against a Zope running against CMF
1.2.

Tres.
--
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com