Ticket #13689 (new Bug)
Opened 3 years ago
The Owner role is inherited, and should not be.
Reported by: | regebro | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | Unknown | Version: | 4.3 |
Keywords: | Cc: |
Description
In plain Zope, the Owner role is inherited/acquired only until a new owner is set. Ie, if I create a folder, and I get set as the owner (with the _owner attribute), I will be the owner for everything in that folder, unless it also has an _owner attribute.
This is also how it's documented to work in Plone: http://plone.org/documentation/kb/using-roles
This is also how it has to be, because you need the functionality of assigning permissions to the Owner/creator, and those permissions should not be assigned to the owner/creator of the folder that the content is in.
However, this not not how it actually works. In borg.localroles workspace.py:checkLocalRolesAllowed (line 430) no special handling is done for the Owner permission. It just walks up the containment tree and gets the local roles with getRoles(), which will return 'Owner' if the user owns something further up the tree.
This makes it practically impossible in Plone to give owners special permissions, such as the right to edit their own entry in a discussion forum, without also giving that right to however posted the discussion in the first place, which is not a desired behaviour.
Ploneboard experiences this problem, and goes around it by not allowing any local role inheritance at all, on board entries. But that means it's impossible to have local roles on boards, which is a bigger problem than the one it solves.