Mikolaj Antoszkiewicz
2007-11-14 18:44:29 UTC
Hello,
When playing tests I got halted on such a curious (for me) situation.
- As userA I'm creating the (tweaked) event object and setting myself as
event's source.
- Then I change the source to userB (logged in as user_manager)
- Security is set to give View and Access Content Information permission
to the user who is source.
- The permissions are set, and verified successfully with
'has_permission' method, but...
i get this exception when trying to do event.view()
*** Unauthorized: Your user account does not have the required permission.
Access to 'sales_rep_A' of (Folder at /Bziubziak/person_module)
denied.
Your user account, sales_rep_B, exists at /Bziubziak/acl_users.
Access requires Access_contents_information_Permission, granted to
the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor',
'Author', 'Manager', 'Owner'].
Your roles in this context are ['Authenticated', 'Member'].
It seems there should be some relations to userA still set on the event
object. Well...
To prove that userA is no longer related in any way to that object,
here's its Dict attached.
Can entries in workflow_history have any influence on that? I think that
no. What other relations not listed in showDict might exist that cause
such error?
Also there is a case where user doesn't have modify permissions on the
object, can't even View it, but I can manually execute setter and getter
methods on it (in test only).
Is this a know case? Should such checks be made strictly using
has_permission methods and not by trying to actually modify/view object?
Concerned,
Mikolaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20071114/f447e7e6/attachment.html>
When playing tests I got halted on such a curious (for me) situation.
- As userA I'm creating the (tweaked) event object and setting myself as
event's source.
- Then I change the source to userB (logged in as user_manager)
- Security is set to give View and Access Content Information permission
to the user who is source.
- The permissions are set, and verified successfully with
'has_permission' method, but...
i get this exception when trying to do event.view()
*** Unauthorized: Your user account does not have the required permission.
Access to 'sales_rep_A' of (Folder at /Bziubziak/person_module)
denied.
Your user account, sales_rep_B, exists at /Bziubziak/acl_users.
Access requires Access_contents_information_Permission, granted to
the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor',
'Author', 'Manager', 'Owner'].
Your roles in this context are ['Authenticated', 'Member'].
It seems there should be some relations to userA still set on the event
object. Well...
To prove that userA is no longer related in any way to that object,
here's its Dict attached.
Can entries in workflow_history have any influence on that? I think that
no. What other relations not listed in showDict might exist that cause
such error?
Also there is a case where user doesn't have modify permissions on the
object, can't even View it, but I can manually execute setter and getter
methods on it (in test only).
Is this a know case? Should such checks be made strictly using
has_permission methods and not by trying to actually modify/view object?
Concerned,
Mikolaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20071114/f447e7e6/attachment.html>