[Zope-CMF] private docs shown to other members, pending shown to anonymous

marc lindahl marc@bowery.com
Thu, 27 Dec 2001 18:05:46 -0500


Take a look at the permissions made by your custom workflow, and take a look
at the permissions of the folder (tree) where your created documents are.  I
find that the default workflow is a little odd, and can easily give you that
behavior.  I'd recommend really analyzing your requirements and creating
your own workflows that interact as you desire with your folder permissions.

> From: Kari-Hans Kommonen <khk@uiah.fi>
> Date: Fri, 28 Dec 2001 00:49:34 +0200
> To: Lynn Walton <waltonl@franklin.edu>, zope-cmf@zope.org
> Subject: Re: [Zope-CMF] private docs shown to other members, pending shown to
> anonymous
> 
> I tried to describe the same situation previously, but I thought that
> there must be something wrong with our setup, so I did not explain it
> this way or call it a bug... in all our CMF sites, "private"
> documents seem to be available to all members if they discover the
> URL.
> 
> khk
> 
> At 16:20 -0600 27.12.2001, Lynn Walton wrote:
>> I've got Zope 2.4.3 , CMF 1.1 cvs release from around Oct 28th.
>> 
>> If I create a CMFDefault Document and leave it private, then enter my
>> site as an anonymous user and use the URL for that document, I'll get
>> redirected to the login_form.  Then if I enter any valid member name &
>> password (even though it's not the owner of that private document) it
>> will let me see it.    This happens using the default workflow that
>> comes with CMF1.1
>> 
>> What's worse is that if the owner uses submit to put it in the pending
>> state, it then becomes viewable by the Anonymous user.
>> 
>> The documents status is getting set properly to "private", or "pending",
>> etc.
>> 
>> I first noticed this problem when trying to use a custom DCWorkflow on
>> one of our custom objects.  I'm using a DCWorkflow  that is based on the
>> classic workflow and I only altered it one way - to have it use run a
>> script that emails me after the user does a submit.  This is custom
>> dcworkflow is ONLY used for ONE of my custom objects, NOT the rest of
>> the CMFDefault stuff.
>> But it has the same behavior as described above.
>> 
>> When I experienced this, is when I went to see if I got the same
>> behavior with CMFDefault.Documents that are using the default workflow
>> and I did.
>> 
>> I haven't done anything to change the normal permissions or roles that I
>> think would be affecting this. I created two roles besides the default
>> ones, but I didn't change what permissions are available to any of the
>> default roles.
>> 
>> I searched the archives and the only other time I've seen complaints
>> about this were when people had added permissions to "Member" (like
>> Review Content) which I haven't done, or had written there own
>> DCWorkflows that might have problems. Since I think mine is a pretty
>> standard setup, I'm surprised no one else has reported this.   Any
>> ideas?
> 
> _______________________________________________
> Zope-CMF maillist  -  Zope-CMF@zope.org
> http://lists.zope.org/mailman/listinfo/zope-cmf
> 
> See http://www.zope.org/Products/PTK/Tracker for bug reports and feature
> requests