[Zope-CMF] private and pending items
Tres Seaver
tseaver@zope.com
17 Dec 2002 09:35:52 -0500
On Fri, 2002-12-13 at 15:51, Dieter Maurer wrote:
> Fearless Froggie writes:
> > I just set up a CMF portal with a couple of custom
> > types and noticed that private and pending items are
> > viewable if the user knows the URL for them. They are
> > also found by the search script. (Note -- these are
> > viewable by all users, even if not signed in.)
> With the "CMF default workflow [Revision 2]", the
> "private" state is no longer really private:
>
> So called "private" content can be seen and searched for
> by anyone.
>
> You can go back to "Revision 1" to have really private content
> (can be neither viewed nor search by anonymous users)
> or you can restrict your search script to return only
> "released" content to prevent occurrence of non-released
> content in search results.
I believe this is an error in the "default" workflow which shipped as
part of a particular release of DCWorkflow. The fix would be to check
the "Security" tab of the "Private" state, and remove the "View"
permission for the "Anonymous" role in that state.
Tres.
--
===============================================================
Tres Seaver tseaver@zope.com
Zope Corporation "Zope Dealers" http://www.zope.com