[Zope-CMF] CMF 1.2: 'private' objects visible to 'Member' users

[Florent Guillaume]

<ernie@iss.nus.edu.sg> wrote:
> 1. [CMF is 'sensitive' to some object types]
> When I login as a 'Member' who can 'Add portal content', I observe some
> weird behaviour. When I add 'Document' or 'File' objects, I see these and
> they are listed as 'Private' (as they should be). However, when I add
> 'Link' objects, only the 'Manager' or more privileged user can see these.
> I, as the creator, cannot see these private 'Link' objects I have created.

Could you check the Type to Workflow association in portal_workflow to
verify that Link is associated to the same workflow as the others ?
Also, are you using a (Default) workflow ?

I recommend against using any (Default) workflow, because there is still
a bug in CMF (I have to check if the latest cvs changes fix it) where at
object creation time the (Default) workflow is briefly if it is not
empty, instead of the correct one.


> 2. [Local roles grant more permission than specified]
> The problem with authenticated members seeing what they shouldn't may be
> related to local roles. I validated this by checking against a folder which
> does not have any special access requirements (i.e. all permissions are
> acquired). In this scenario, the hiding of 'Private' information works as
> expected. However, when I repeat this in a folder which I, as a 'Member',
> am granted a local role to 'View' and 'Access content information', both of
> which do not acquire their settings from the container, I can see any
> 'Private' objects created by anyone. This does not apply to folders I am
> not granted a local role.

You should check the Security tab (and the associated local roles) of
such an object that is visible when it should not, and identify what
permissions are wrongly set. Then find what worflow could have set them.


Florent
-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 10  http://nuxeo.com  mailto:fg@nuxeo.com