[Zope-CMF] Unable to 'Undo'

Tres Seaver tseaver@zope.com
13 Jul 2002 14:53:15 -0400


On Sat, 2002-07-13 at 12:35, Carl Rendell wrote:

> 
> More research and testing reveals that there are three lines in the 
> CMFCore.UndoTool that are giving me [ is it just me? ] the 
> behavior - lines 114 - 116
> 
>          for tinfo in transaction_info:
>              if not xids.get( tinfo, None ):
>                  raise Unauthorized
> 
> If these ar commented out, the ability to _undo_ from the user 
> interface returns. Most of the code in this version of the UndoTool 
> has been added since CMF 1.2, and is - as the comment indicates - a 
> belt and suspenders approach to assuring user's ability to undo 
> transactions [ was this a problem before? ]
>
> So, is this a bug, do I have a strange configuration, something 
> else? I have a work around that works for me, but there seems to be 
> something deeper here.
> 
> BTW, I've tested all manner of installation with all versions of 
> CMF, and the behavior is consistent... Unauthorized is raised when 
> attempting to perform Undo from the user interface in CMF 1.3-betaX.

The older model protected the 'undo' method with the 'UndoChanges'
permission, which was unfortunately not working;  the change after 1.2
was to make the method public, and then have it check the undoability of
the transactrions whose IDs were passed in.

The checkin message for that change is illustrative of how tricksy this
problem can get:

 - Make 'undo' work for non-manager members, by making it public;
   note that this change requires adding an expensive check that the
   transactions passed in are actually undoable by the user.
   (Tracker #488).

We need to figure out why the transaction_info passed in from the form
is not present in the list of allowed transactions which the method
computes.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com