[Zope-PTK] Debugging PTK II

[Shane Hathaway]

Fabio Forno wrote:
> 
> Shane Hathaway wrote:
> 
> > I'm glad you found a way to solve this problem but we've been pushing
> > for a better solution to the publishing permission dilemma.  The change
> > you suggested above, without some change to the permissions mechanisms,
> > would make it so that even though members are allowed to view the
> > object, they can't search for it.  We need to maintain consistency.
> > To maintain that consistency, allowedRolesAndUsers() must return a
> > complete list of roles and users allowed to view an object regardless
> > of its publishing status.  If there is a bug in its current way of
> > accomplishing that, then it needs to be fixed.  In my limited testing
> > it always included "Anonymous" in the list of roles allowed to view the
> > object.
> >
> 
> I don't get the point. In this way allowedRolesAndUsers() remains the
> same, but it cheks also the review_state to grant the View permission.
> Problems could arise only when applying more complex publishing policies
> (i.e. some content viewable only by a part of the the members, some else
> also by guests an so on)

The point is that the current publishing policy mixed with your patch
makes it so that users can get at the object if they know where it is,
but can't see it in a catalog query.  We have to be consistent.  The
change I just made to CVS makes it so that everyone who's allowed to
see an object, can also search for it.  (This was the intent, anyway.) 
Now we need to change the publishing process so that updated
permissions take effect upon changing the status to "published".  The
net effect will be exactly what you're trying to achieve.

Shane