[Zope-CMF] Re: [dev] createMemberarea: small proposal

Yuppie schubbe@web.de
Mon, 26 May 2003 14:16:12 +0200


Gitte Wange wrote:
>>Does anybody know why createMemberarea doesn't make use of invokeFactory()
> My guess is that is because members are not logged_in when the 
> createMemberArea function is called (if member areas are created when 
> joining)

Good guess! I'm not sure if Memberareas should be created for members 
that are not logged in (see below), but even if they are logged in they 
might not have the necessary permissions.

If we make createMemberarea scriptable, that script could get a proxy 
role and invokeFactory() should work.

> But I think the initiative to make the member areas dynamically changeable is 
> a great thing! I really miss that functionality (at the moment I'm 
> subclassing the membership tool a lot of times).

There is one problem with createMemberarea() that should be resolved 
before making it scriptable:

Right now any user can trigger createMemberarea() via wrapUser(). This 
is a potential security problem, because if createMemberarea() is 
triggered by an other user, Ownership and Owner role of the created 
content objects are wrong. From the method, we can call LocalRoles 
methods and changeOwnership() to fix that. But changeOwnership() is 
privat, so we can't call it from a script.

I think the best solution would be to call createMemberarea() from the 
logged_in page. But I'm afraid this would be too big a change.

So I propose this:

createMemberarea() and / or wrapUser() should check if member_id is the 
id of the authenticated user. If not, don't add a member area.