Post by bartekPost by Mikolaj AntoszkiewiczPost by Mikolaj AntoszkiewiczPost by Mikolaj AntoszkiewiczHello,
Since access to get_local_roles by non-Manager user is unauthorised,
could the script Base_getOwnerId have proxy Manager role by default.
That way normal user can verify the ownership of the object, eg. in script.
I think that would come in handy in many circumstances.
Hello,
You can use getViewPermissionOwner, which is very similar
What if I want to know who is the Owner even if I don't have View
Permission to the object?
...and, what if the guy who is the Owner doesn't have View for one
reason or another? I may still want to know about him, while
getViewPermissionOwner would return None...
I completly agree that it's conveniant, but from strict security point
of view, it's not really good, because it makes it possible to guess
existing usernames. Both Base_getOwnerId and getViewPermissionOwner have
this problem, this information was originaly protected in zope.
I suggest that we add something to prevent those methods to be called
direclty in the URL (by removing the docstring or checking the presence
of a REQUEST argument).
For the problem you mentionned, it's probably better to do this in a
zope product, an external method, or an ERP5 local document.
Post by bartekPost by Mikolaj AntoszkiewiczBTW. Is there a way to get the real 'owner' of the object in ZMI?
There are multiple ways, whether you want the user object or the user
id, etc. Refer to AccessControl/Owned.py in your zope software home.
J?rome