[Zope-CMF] feature request

martin f krafft madduck@madduck.net
Sun, 18 May 2003 18:55:27 +0200

Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

The _checkId() function in CMFCore/PortalFolder.py prevents anyone
without the "Manage portal" permission to name objects with IDs that
are already used for other objects in the acquisiton path. This
makes perfect sense, or else anyone with a folder in Member could
override standard_html_{header,footer} by placing an appropriate
document into his/her /Members folder, thereby breaking the
integrity of the portal.

However, there may well be some uses when Members should be able to
do so. Currently, the only way to enable someone to do it is by
passing out the ManagePortal permission. This permission also allows
the changing of the default skin, usage of the MigrationTool, and
various other management tasks which could be dangerous if used by
the wrong hand.

I thus propose a feature change to the CMF framework. It should
provide a new CMDCorePermission (OverrideAcquisitions, "Override
acquisitions") and use that in PortalFolder::_checkId() rather than

Once that is done it would be even nicer if this permission could
provide a configuration dialog or file, or some other mechanism so
that the portal administrator can specify exactly which IDs may be
overridden by anyone holding this permission ("deny all but from
this list"). When all this is done, it will be trivial to
alternatively allow the "allow all but from this list" approach.

Maybe someone can tell me about the Skinnable property class, which
overrides _checkId() without the "Manage portal" check. Is it
possible for me as an administrator to make use of that?

I have tried to implement the above, but have been unsuccessful so
far (I don't know python very well yet, and I know very little about
how the ./Products hierarchy fits together, so I am progressing
slowly and carefully). I'll continue working on it, but I thought it
would be good to submit the feature request so that others get
a chance to take a shot too. If I succeed, expect a patch. If anyone
else succeeds, I'd appreciate a short note...

In the meantime, how do I go about adding a new permission. I tried
to add a couple of lines to CMFCorePermissions.py, but then I got
Bad Requests and Zope was unable to find the virtual host monster
I had configured, so I immediately undid all changes. I'd appreciate
a pointer to give me a head start.

Take care,

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
get my key here: http://madduck.net/me/gpg/publickey
"wovon man nicht sprechen kann, dar=FCber mu=DF man schweigen."
                                                       -- wittgenstein

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (GNU/Linux)