Ticket #13230 (confirmed Bug)

Opened 3 years ago

Last modified 3 years ago

User must have permission to add an Image in order to add a File

Reported by: danjacka Owned by:
Priority: minor Milestone: 4.x
Component: Backend (Python) Version: 4.3
Keywords: Cc:

Description (last modified by danjacka) (diff)

Steps to reproduce

(tested on Plone 4.2.1 and Plone 4.3.1)

  1. In the ZMI at the site root, remove the "ATContentTypes: Add Image" permission from all roles and turn off acquiring the permission from a parent.
  2. Attempt to add a File. On save you will get an exception Unauthorized: You do not possess the 'ATContentTypes: Add Image' permission in the context of the container into which you are pasting, thus you are not able to perform this operation.

Diagnosis

In Products.CMFCore.utils.ContentInit, the initialize method sets a __factory_meta_type__ for a content type. __factory_meta_type__ is later used to check for add permission (in Products.CMFCore.PortalFolder.PortalFolderBase's _verifyObjectPaste method).

At Zope startup - when ContentInit().initialize is called for the various types - __factory_meta_type__ for plone.app.blob.content.ATBlob is set multiple times: first to 'plone.app.blob: Blob', then 'plone.app.blob: File' and lastly 'plone.app.blob: Image' (alphabetical order?). The last one 'wins', so later when _verifyObjectPaste looks up the __factory_meta_type__ for a File add, it finds 'plone.app.blob: Image' not 'plone.app.blob: File'.

Change History

comment:1 Changed 3 years ago by kleist

  • Status changed from new to confirmed
  • Component changed from Unknown to Backend (Python)

comment:2 Changed 3 years ago by danjacka

  • Version changed from 4.2 to 4.3
  • Description modified (diff)
Note: See TracTickets for help on using tickets.