I completly agree that it's conveniant, but from strict security point
of view, it's not really good, because it makes it possible to guess
existing usernames. Both Base_getOwnerId and getViewPermissionOwner have
this problem, this information was originaly protected in zope.
I suggest that we add something to prevent those methods to be called
direclty in the URL (by removing the docstring or checking the presence
of a REQUEST argument).
For the problem you mentionned, it's probably better to do this in a
zope product, an external method, or an ERP5 local document.
There are multiple ways, whether you want the user object or the user
id, etc. Refer to AccessControl/Owned.py in your zope software home.

J?rome