Ticket #11573 (confirmed Bug)

Opened 5 years ago

Last modified 2 years ago

Rename not working when not all parent folders can be traversed

Reported by: maurits Owned by:
Priority: minor Milestone: 4.x
Component: General Version: 4.3
Keywords: Cc: spereverde

Description

This is similar to #8862, but that also concerned unicode paths which is not the problem here, so I'll open a new ticket.

  • Create a Folder 'folder'. The key: keep this folder private!
  • Within this Folder create a Folder 'subfolder'. Can be published or not.
  • Give user Joe all the sharing tab roles on this sub folder.
  • Joe creates a Page in the sub folder.
  • Joe tries to rename this page by using Actions>Rename or by renaming from the folder_contents of the subfolder. This does absolutely nothing. No form appears.
  • From folder_contents the same is true for trying to change the state or removing items.

The problem is in Products/CMFPlone/skins/plone_scripts/getObjectsFromPathList.py. We do 'portal.restrictedTraverse(str(path), None)' there. This returns None, as Joe is not allowed to traverse to the top 'folder'. What should be fine is to do an unrestrictedTraverse to the parent and then a restrictedTraverse to the item; the change in getObjectsFromPathList.py would be this:

 for path in paths:
-    obj = portal.restrictedTraverse(str(path), None)
+    split_path = str(path).split('/')
+    # We use unrestrictedTraverse to get to the parent as we may not
+    # have permission to traverse the complete path, like when we only
+    # have permissions in some subfolder deep in the site.
+    parent = portal.unrestrictedTraverse(split_path[:-1], None)
+    obj = parent.restrictedTraverse(split_path[-1], None)
     if obj is not None: contents.append(obj)

Problem is of course that using unrestrictedTraverse is not allowed in python skin scripts...

I propose that we move this to a browser view; probably in plone.app.layout/navigation, but that is open for suggestions. The skin script should stay of course, but it could be changed to just return the call to the browser view. Any templates in Plone should use the new view.

Probably safe enough to do in Plone 3.3, 4.0 and 4.1.

Change History

comment:1 Changed 5 years ago by hedley

Just did this. A few more problems arise which can easily be hacked away. When we eventually move to browser views this will of course not be needed.

Customize validate_folder_rename and folder_rename in portal_skins. Click the proxy tab for each and assign the role Manager. Those python scripts also use restrictedTraverse.

But really the whole chain of controller scripts needs to be investigated and fixed.

comment:2 Changed 4 years ago by davisagli

  • Component changed from Infrastructure to General

comment:3 Changed 4 years ago by kleist

  • Status changed from new to confirmed
  • Version set to 4.1

comment:4 Changed 4 years ago by kleist

  • Milestone set to 4.x

comment:5 Changed 3 years ago by spereverde

Just wanted to add some more info to this ticket, since we had the same issue on our setup.

  • this is not just for renaming, also for deleting:  http://plone.293351.n2.nabble.com/restrictedTraverse-in-PloneTool-deleteObjectsByPath-td6750092.html - for which another script should be adjusted
  • we found the issue because our editors couldn't browse with the visual editor (ckeditor in our case, haven't tested with tinymce yet)
  • the issue for renaming, deleting and browsing can be easily fixed per Plone site by giving the permission 'Access contents information' to Member in the private state of the simple_publication workflow
  • I've added this in my branch of Products.CMFPlone ( https://github.com/spereverde/Products.CMFPlone/commit/1efe1d8e4a658346f63f717c9bc47d4193a9d2da)
  • a pull request hasn't been made since our consultants have contacted the security team to double check that this doesn't have any unwanted security issues and maybe there's another (better) solution for the issue
  • all we can say is that we've been running several plone sites with this adjustment for at least half a year without any issues

comment:6 Changed 3 years ago by spereverde

  • Cc spereverde added

comment:7 Changed 2 years ago by spereverde

  • Version changed from 4.1 to 4.3
Note: See TracTickets for help on using tickets.