As part of a workflow, I evaluate whether the user has the 'Modify portal content' permission as follows:

from CMFCore.permissions import ModifyPortalContent
from CMFCore.utils import _checkPermission

can_edit = _checkPermission(ModifyPortalContent, ob)

where ob is the object I am talking about.

The object is in a users' home folder in a CMF Site - so it's at <portal>/Members/user/<object>.

On the members folder I have set any user with Owner permission to have the ModifyPortalContent permission, and to not acquire permissions. On the user folder, I have set the user to have a local role of owner. All permissions on <object> are acquired.

Now, when I call the actions tool from within a dtml template (okay, i may be the only person still using dtml but bear with me) logged in as <user>, the workflow thinks that I cannot edit the item. If I try the same thing from the debug prompt (zopectl debug + log in as this user) it thinks I do have permission.

I stepped through the code and somehow it thinks the user 'admin' is the owner. I think this is being acquired from somewhere (not sure where). I added the line _owner = None at the class level in CMFCore.DTMLMethod (analagous to that in CMFCore.FSPythonScript) and everything worked correctly but I'm confused.

Can anyone shed any light on what's going on? Although my fix made everything work properly, I don't know _why_ for certain - is this a bug in FSDTMLMethod that no-one has noticed until now, is it just coincidence this fixed it, or what?!


Zope-CMF maillist  -  Zope-CMF@lists.zope.org

See http://collector.zope.org/CMF for bug reports and feature requests

Reply via email to