bartek
2007-08-16 11:23:35 UTC
Hello
I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query adds
a clause:
OR
(((catalog.owner = 'bartek')))))
This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see the
object in a listbox but can't access it. And there is no way to make it
disappear from the listbox.
But when I delete an object, the owner disappears from the catalog, so
security works as expected.
So, what is basically the idea of having the owner in catalog and using
it in every query? And can it be dropped, since we have a security
machinery for that, and there are cases where the two contradict?
Bartek
I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query adds
a clause:
OR
(((catalog.owner = 'bartek')))))
This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see the
object in a listbox but can't access it. And there is no way to make it
disappear from the listbox.
But when I delete an object, the owner disappears from the catalog, so
security works as expected.
So, what is basically the idea of having the owner in catalog and using
it in every query? And can it be dropped, since we have a security
machinery for that, and there are cases where the two contradict?
Bartek
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"