[Zope-CMF] private docs shown to other members, pending shown
to anonymous
Kari-Hans Kommonen
khk@uiah.fi
Fri, 28 Dec 2001 00:49:34 +0200
I tried to describe the same situation previously, but I thought that
there must be something wrong with our setup, so I did not explain it
this way or call it a bug... in all our CMF sites, "private"
documents seem to be available to all members if they discover the
URL.
khk
At 16:20 -0600 27.12.2001, Lynn Walton wrote:
>I've got Zope 2.4.3 , CMF 1.1 cvs release from around Oct 28th.
>
>If I create a CMFDefault Document and leave it private, then enter my
>site as an anonymous user and use the URL for that document, I'll get
>redirected to the login_form. Then if I enter any valid member name &
>password (even though it's not the owner of that private document) it
>will let me see it. This happens using the default workflow that
>comes with CMF1.1
>
>What's worse is that if the owner uses submit to put it in the pending
>state, it then becomes viewable by the Anonymous user.
>
>The documents status is getting set properly to "private", or "pending",
>etc.
>
>I first noticed this problem when trying to use a custom DCWorkflow on
>one of our custom objects. I'm using a DCWorkflow that is based on the
>classic workflow and I only altered it one way - to have it use run a
>script that emails me after the user does a submit. This is custom
>dcworkflow is ONLY used for ONE of my custom objects, NOT the rest of
>the CMFDefault stuff.
>But it has the same behavior as described above.
>
>When I experienced this, is when I went to see if I got the same
>behavior with CMFDefault.Documents that are using the default workflow
>and I did.
>
>I haven't done anything to change the normal permissions or roles that I
>think would be affecting this. I created two roles besides the default
>ones, but I didn't change what permissions are available to any of the
>default roles.
>
>I searched the archives and the only other time I've seen complaints
>about this were when people had added permissions to "Member" (like
>Review Content) which I haven't done, or had written there own
>DCWorkflows that might have problems. Since I think mine is a pretty
>standard setup, I'm surprised no one else has reported this. Any
>ideas?