Discussion:
[Erp5-dev] owner in catalog and security
bartek
2007-08-16 11:23:35 UTC
Permalink
Hello

I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query adds
a clause:

OR
(((catalog.owner = 'bartek')))))

This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see the
object in a listbox but can't access it. And there is no way to make it
disappear from the listbox.

But when I delete an object, the owner disappears from the catalog, so
security works as expected.

So, what is basically the idea of having the owner in catalog and using
it in every query? And can it be dropped, since we have a security
machinery for that, and there are cases where the two contradict?

Bartek
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
Jérome Perrin
2007-08-16 12:59:54 UTC
Permalink
Post by bartek
Hello
I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query adds
OR
(((catalog.owner = 'bartek')))))
This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see the
object in a listbox but can't access it. And there is no way to make it
disappear from the listbox.
Hello,

This "owner" column is catalogued with the result of
getViewPermissionOwner method (you can see it in
portal_catalog/erp5_mysql_innodb/z_catalog_object_list).

This method docstring is :
def getViewPermissionOwner(self):
"""
Returns the user ID of the owner if Owner role
has View permission. Returns None else.
"""

So if you don't have "View" permission on this document, this method
should return None, and the owner column should be NULL.

Maybe you used the ZMI to remove permissions; this does not reindex the
object. In that case, try to manually reindex this document, it should
be OK.
Post by bartek
But when I delete an object, the owner disappears from the catalog, so
security works as expected.
So, what is basically the idea of having the owner in catalog and using
it in every query? And can it be dropped, since we have a security
machinery for that,
I think it was for performance, but I'm not sure.
Post by bartek
and there are cases where the two contradict?
As this "owner" is actually "owner with view permission or nothing",
they should not contradict.

J?rome
bartek
2007-08-16 13:14:50 UTC
Permalink
Post by Jérome Perrin
Post by bartek
Hello
I noticed that for most objects the user who created it is recorded in
catalog table as 'owner', and portal_catalog when composing a query
OR
(((catalog.owner = 'bartek')))))
This caused a problem for me: I took all permissions to an object I
created away from me, but portal_catalog still returns it, so I see
the object in a listbox but can't access it. And there is no way to
make it disappear from the listbox.
Hello,
This "owner" column is catalogued with the result of
getViewPermissionOwner method (you can see it in
portal_catalog/erp5_mysql_innodb/z_catalog_object_list).
"""
Returns the user ID of the owner if Owner role
has View permission. Returns None else.
"""
So if you don't have "View" permission on this document, this method
should return None, and the owner column should be NULL.
Maybe you used the ZMI to remove permissions; this does not reindex the
object. In that case, try to manually reindex this document, it should
be OK.
I think I see where the problem comes from: Owner role has View
permission, yes, but I don't have this role, somebody else has it. So
the problem with getViewPermissionOwner is that if Owner role has View
permission it returns the user who created the object, NOT the user who
currently has the Owner local role.

The use case is the following: the object in question is a document
which has been ingested by email. The 'creator', and initial owner, of
the doc is the user used by mailin script to log into zope; but as the
doc was sent by someone else, the ingestion script adjusted Owner local
role accordingly. The getViewPermissionOwner function apparently does
not provide for such situation.

B.
Post by Jérome Perrin
Post by bartek
But when I delete an object, the owner disappears from the catalog, so
security works as expected.
So, what is basically the idea of having the owner in catalog and
using it in every query? And can it be dropped, since we have a
security machinery for that,
I think it was for performance, but I'm not sure.
Post by bartek
and there are cases where the two contradict?
As this "owner" is actually "owner with view permission or nothing",
they should not contradict.
J?rome
_______________________________________________
Erp5-dev mailing list
Erp5-dev at erp5.org
http://erp5.org/mailman/listinfo/erp5-dev
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
Jérome Perrin
2007-08-16 13:29:21 UTC
Permalink
Post by bartek
I think I see where the problem comes from: Owner role has View
permission, yes, but I don't have this role, somebody else has it. So
the problem with getViewPermissionOwner is that if Owner role has View
permission it returns the user who created the object, NOT the user who
currently has the Owner local role.
Yes, being the owner and having an Owner local role in zope is different
things. So this method does not support the case where the owner does
not have an Owner local role.
Maybe we should simply check that the owner has the view permission,
like in this attached patch ?
Post by bartek
The use case is the following: the object in question is a document
which has been ingested by email. The 'creator', and initial owner, of
the doc is the user used by mailin script to log into zope; but as the
doc was sent by someone else, the ingestion script adjusted Owner local
role accordingly. The getViewPermissionOwner function apparently does
not provide for such situation.
I see, for this, maybe you should use "changeOwnership" method from this
script (from AccessControl/Owned.py) .

J?rome
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Base.getViewPermissionOwner.diff
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20070816/51089cb7/attachment.txt>
bartek
2007-08-16 13:50:31 UTC
Permalink
Post by Jérome Perrin
Post by bartek
I think I see where the problem comes from: Owner role has View
permission, yes, but I don't have this role, somebody else has it. So
the problem with getViewPermissionOwner is that if Owner role has View
permission it returns the user who created the object, NOT the user
who currently has the Owner local role.
Yes, being the owner and having an Owner local role in zope is different
things. So this method does not support the case where the owner does
not have an Owner local role.
Maybe we should simply check that the owner has the view permission,
like in this attached patch ?
Sounds logical.
Post by Jérome Perrin
Post by bartek
The use case is the following: the object in question is a document
which has been ingested by email. The 'creator', and initial owner, of
the doc is the user used by mailin script to log into zope; but as the
doc was sent by someone else, the ingestion script adjusted Owner
local role accordingly. The getViewPermissionOwner function apparently
does not provide for such situation.
I see, for this, maybe you should use "changeOwnership" method from this
script (from AccessControl/Owned.py) .
I thought about this, but Owned.changeOwnership is private...

B.
Post by Jérome Perrin
J?rome
------------------------------------------------------------------------
Index: Base.py
===================================================================
--- Base.py (r??vision 15661)
+++ Base.py (copie de travail)
@@ -1435,10 +1435,9 @@
Returns the user ID of the owner if Owner role
has View permission. Returns None else.
"""
- path, user_id = self.getOwnerTuple()
- path, user_id = self.getOwnerTuple()
- return user_id
+ owner = self.getWrappedOwner()
+ return str(owner)
return None
# Private accessors for the implementation of relations based on
------------------------------------------------------------------------
_______________________________________________
Erp5-dev mailing list
Erp5-dev at erp5.org
http://erp5.org/mailman/listinfo/erp5-dev
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
bartek
2007-08-16 16:01:45 UTC
Permalink
Post by Jérome Perrin
Post by bartek
I think I see where the problem comes from: Owner role has View
permission, yes, but I don't have this role, somebody else has it. So
the problem with getViewPermissionOwner is that if Owner role has View
permission it returns the user who created the object, NOT the user
who currently has the Owner local role.
Yes, being the owner and having an Owner local role in zope is different
things. So this method does not support the case where the owner does
not have an Owner local role.
Maybe we should simply check that the owner has the view permission,
like in this attached patch ?
I applied the patch, reindexed, and everything is fine. Thanks. Will you
commit it?

B.
Post by Jérome Perrin
Post by bartek
The use case is the following: the object in question is a document
which has been ingested by email. The 'creator', and initial owner, of
the doc is the user used by mailin script to log into zope; but as the
doc was sent by someone else, the ingestion script adjusted Owner
local role accordingly. The getViewPermissionOwner function apparently
does not provide for such situation.
I see, for this, maybe you should use "changeOwnership" method from this
script (from AccessControl/Owned.py) .
J?rome
------------------------------------------------------------------------
Index: Base.py
===================================================================
--- Base.py (r??vision 15661)
+++ Base.py (copie de travail)
@@ -1435,10 +1435,9 @@
Returns the user ID of the owner if Owner role
has View permission. Returns None else.
"""
- path, user_id = self.getOwnerTuple()
- path, user_id = self.getOwnerTuple()
- return user_id
+ owner = self.getWrappedOwner()
+ return str(owner)
return None
# Private accessors for the implementation of relations based on
------------------------------------------------------------------------
_______________________________________________
Erp5-dev mailing list
Erp5-dev at erp5.org
http://erp5.org/mailman/listinfo/erp5-dev
--
"feelings affect productivity. (...) unhappy people write worse
software, and less of it."
Karl Fogel, "Producing Open Source Software"
Jérome Perrin
2007-08-17 16:58:33 UTC
Permalink
Post by bartek
Post by Jérome Perrin
Post by bartek
I think I see where the problem comes from: Owner role has View
permission, yes, but I don't have this role, somebody else has it. So
the problem with getViewPermissionOwner is that if Owner role has
View permission it returns the user who created the object, NOT the
user who currently has the Owner local role.
Yes, being the owner and having an Owner local role in zope is
different things. So this method does not support the case where the
owner does not have an Owner local role.
Maybe we should simply check that the owner has the view permission,
like in this attached patch ?
I applied the patch, reindexed, and everything is fine. Thanks. Will you
commit it?
OK thanks. I just checked it in.

J?rome

Loading...