Ticket #9177 (confirmed Bug)

Opened 7 years ago

Last modified 3 years ago

User needs Modify portal content to paste items

Reported by: amleczko Owned by: nouri
Priority: major Milestone: 4.x
Component: Archetypes Version: 4.2
Keywords: Cc: eleddy

Description

In Archetypes 1.4.3 I've noticed this modification:

  * Update the base folder types to use sane permissions for
    manage_copyObjects, manage_pasteObjects, manage_renameObject(s)
    rather than the default 'View management screens' given by
    OFS.CopySupport (the permission mapping used is from
    Plone.PloneFolder)
    [alecm]

For copy, rename this change is logical, however for manage_pasteObjects it seems wrong. Paste is perform on the folderish context - for some use cases - we don't want to give users 'Modify portal content' in that context - only 'Add portal content'. My proposition is to change it to 'Add portal content'. Here are modules that overwrite default CopySupport approach:

  • Archetypes/BaseBTreeFolder.py
  • Archetypes/BaseFolder.py
  • CMFPlone/PloneFolder.py

Change History

comment:1 Changed 7 years ago by optilude

+1 - I was just bitten by this

comment:2 Changed 7 years ago by optilude

For anyone needing to work around this, you can add the following in a ZCML file:

<class class="OFS.CopySupport.CopyContainer">
    <require permissions="cmf.AddPortalContent" attributes="manage_pasteObjects" />
</class>
<class class="Products.Archetypes.BaseBTreeFolder.BaseBTreeFolder">
    <require permissions="cmf.AddPortalContent" attributes="manage_pasteObjects" />
</class>
<class class="Products.Archetypes.BaseFolder.BaseFolder">
    <require permissions="cmf.AddPortalContent" attributes="manage_pasteObjects" />
</class>
<class class="Products.CMFPlone.PloneFolder.PloneFolder">
    <require permissions="cmf.AddPortalContent" attributes="manage_pasteObjects" />
</class>

The correct fix for Plone is of course to change the ac_permissions mangling.

Martin

comment:3 Changed 4 years ago by eleddy

  • Version set to 4.2
  • severity set to Normal
  • Milestone changed from 3.3.x to 4.x

just reproduced on plone 4.2. User is a contributor who can add new items, but can't paste. head:bang.

comment:4 Changed 4 years ago by kleist

  • Status changed from new to confirmed

comment:5 Changed 3 years ago by lukasg

Also just been bitten by this.

Martin's workaround does the trick, it's permisson="" though (not permission*s) according to zope.security.metadirectives.IRequireSubdirective.

comment:6 Changed 3 years ago by eleddy

  • Cc eleddy added
Note: See TracTickets for help on using tickets.