[Zope-CMF] Re: [dev] createMemberarea: small proposal
Mon, 26 May 2003 14:16:12 +0200
Gitte Wange wrote:
>>Does anybody know why createMemberarea doesn't make use of invokeFactory()
> My guess is that is because members are not logged_in when the
> createMemberArea function is called (if member areas are created when
Good guess! I'm not sure if Memberareas should be created for members
that are not logged in (see below), but even if they are logged in they
might not have the necessary permissions.
If we make createMemberarea scriptable, that script could get a proxy
role and invokeFactory() should work.
> But I think the initiative to make the member areas dynamically changeable is
> a great thing! I really miss that functionality (at the moment I'm
> subclassing the membership tool a lot of times).
There is one problem with createMemberarea() that should be resolved
before making it scriptable:
Right now any user can trigger createMemberarea() via wrapUser(). This
is a potential security problem, because if createMemberarea() is
triggered by an other user, Ownership and Owner role of the created
content objects are wrong. From the method, we can call LocalRoles
methods and changeOwnership() to fix that. But changeOwnership() is
privat, so we can't call it from a script.
I think the best solution would be to call createMemberarea() from the
logged_in page. But I'm afraid this would be too big a change.
So I propose this:
createMemberarea() and / or wrapUser() should check if member_id is the
id of the authenticated user. If not, don't add a member area.