Ticket #13230 (confirmed Bug)
User must have permission to add an Image in order to add a File
Reported by: | danjacka | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | Backend (Python) | Version: | 4.3 |
Keywords: | Cc: |
Description (last modified by danjacka) (diff)
Steps to reproduce
(tested on Plone 4.2.1 and Plone 4.3.1)
- In the ZMI at the site root, remove the "ATContentTypes: Add Image" permission from all roles and turn off acquiring the permission from a parent.
- Attempt to add a File. On save you will get an exception Unauthorized: You do not possess the 'ATContentTypes: Add Image' permission in the context of the container into which you are pasting, thus you are not able to perform this operation.
Diagnosis
In Products.CMFCore.utils.ContentInit, the initialize method sets a __factory_meta_type__ for a content type. __factory_meta_type__ is later used to check for add permission (in Products.CMFCore.PortalFolder.PortalFolderBase's _verifyObjectPaste method).
At Zope startup - when ContentInit().initialize is called for the various types - __factory_meta_type__ for plone.app.blob.content.ATBlob is set multiple times: first to 'plone.app.blob: Blob', then 'plone.app.blob: File' and lastly 'plone.app.blob: Image' (alphabetical order?). The last one 'wins', so later when _verifyObjectPaste looks up the __factory_meta_type__ for a File add, it finds 'plone.app.blob: Image' not 'plone.app.blob: File'.