[Zope-CMF] Strange behaviour: Owner and LocalRole Owner

Florent Guillaume fg@nuxeo.com
Fri, 21 Feb 2003 16:09:05 +0000 (UTC)


Rainer Thaden  <thadi@gmx.de> wrote:
> The owner is the one who created the content and is shown in the Owner
> tab. Actually i created the content as Admin and another person became
> the owner by using 'Take Ownership'.

Ok then you're talking about the "executable owner".

> >> As i understand from the Zope Documentation the owner of an object
> >> also has the local role 'owner' by default ?!
> 
> > In Zope, when someone creates an object the objects is automatically
> > assigned a locale role Owner with the id of the user that created it.
> > This happens in ObjectManager._setObject.
> 
> If someone takes over the ownership, is there a local role 'Owner'
> created? If so, is it possible to delete that role? If so, does this
> cause the behaviour i described above?
> Questions, questions ...

"Taking over ownership" takes ownership of the executable owner. Local
roles are not touched.

Note that the concept of executable owner is only useful when dealing
with objects that are "executable", like python scripts, ZPTs or DTML.
It's there to restrict the possibilites of the code executed by the
roles of the executable owner, in order to avoid potential trojan
scenarios.

CMF doesn't use the executable owner, except (unfortunately) when you
call Creator(). But Creator() should really infer its value from the
local roles, to be consistent and useful.

Florent
-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:fg@nuxeo.com