Ticket #1125 (closed defect: fixed)

Opened 14 years ago

Last modified 14 years ago

Unauthorized and acquisition problem

Reported by: rspivak Owned by: rspivak
Priority: P1 Milestone: CPS 3.4.0
Component: CPSSubscriptions Version: 3.3.8
Severity: major Keywords:
Cc:

Description

Let's imagine we have following structure: workspaces/A/B

workspaces -> contains .cps_subscriptions, but container has no roles set to 'Can subscribe' permission. A -> empty folder without .cps_subscriptions B -> empty folder without .cps_subscriptions

1) Logged as Manager subscribing under workspaces/A or workspaces/A/B puts subscriptions at workspaces/.cps_subscriptions, it doesn't create .cps_subscriptions nor under workspaces/A nor under workspaces/A/B

2) logged as portal member trying to access subscribe form at workspaces/A gives:

Your user account does not have the required permission.  Access to 'getUserMode' of (SubscriptionContainer at /cps/workspaces/.cps_subscriptions) denied. Your user account, qwerty, exists at /cps/acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Authenticated', 'Member', 'WorkspaceMember'].

this problem may be solved by:

Index: subscriptions_lib_display_user_subscribe.pt
===================================================================
--- subscriptions_lib_display_user_subscribe.pt (revision 29465)
+++ subscriptions_lib_display_user_subscribe.pt (working copy)
@@ -7,7 +7,7 @@

 <metal:block define-macro="display_user_subscribe">
   <tal:block define="subscriptions_tool nocall:here/portal_subscriptions;
-    subscription_folder python:getattr(here,subscriptions_tool.getSubscriptionContainerId(), None);
+    subscription_folder python:getattr(here.aq_inner.aq_explicit, subscriptions_tool.getSubscriptionContainerId(), None);
     events python:subscriptions_tool.getFilteredAllowedToSubscribeEventsFromContext(here);
     isAno python:here.portal_membership.isAnonymousUser();
     email request/email|nothing;

After applying above patch subscription container is created at correct place: workspaces/A/.cps_subscriptions

But if user tries to subscribe to some events and save that he gets:

Your user account does not have the required permission.  Access to 'subscribeTo' of (ExplicitRecipientsRule at /cps/workspaces/collaborative/testa1/.cps_subscriptions/subscription__workflow_checkin_draft/explicit__recipients_rule) denied. Your user account, qwerty, exists at /cps/acl_users. Access requires one of the following roles: ['Manager']. Your roles in this context are ['Authenticated', 'Member', 'Owner', 'WorkspaceMember'].

This happens because subscriptions container doesn't have any role set to 'Can subscribe' permission on container. Security acquisition makes check at upper levels, but that permission security acquisition is unchecked at top of site and has only role Manager set to it.

This can be solved or by:

Index: permissions.py
===================================================================
--- permissions.py      (revision 29465)
+++ permissions.py      (working copy)
@@ -37,7 +37,7 @@
 setDefaultRoles( ManageSubscriptions, ('Manager'))

 CanSubscribe = 'Can subscribe'
-setDefaultRoles( CanSubscribe, ('Manager',))
+setDefaultRoles( CanSubscribe, ('Manager', 'Authenticated',))

 ViewMySubscriptions = 'View My Subscriptions'
 setDefaultRoles( ViewMySubscriptions, ('Manager', 'Member'))

or by setting permission to role mapping when adding container:

Index: SubscriptionContainer.py
===================================================================
--- SubscriptionContainer.py    (revision 29465)
+++ SubscriptionContainer.py    (working copy)
@@ -220,7 +220,7 @@
     def getSubscriptionById(self, subscription_id=''):
         """Return a susbcription object given an id

-        If it doesn't exist then create it
+        If it doesn't exist then create it
         """
         subtool = getToolByName(self, 'portal_subscriptions')
         subscription_prefix = subtool.getSubscriptionObjectPrefix()
@@ -290,6 +290,8 @@

     subscription_container = getattr(self, id)

+    subscription_container.updateProperties()
+
     # Let's create event subscriptions mapping the context.
     # These information are know by tool site.
     # We need to create them right now for the subscriptions

P.S. Tests were done on briques.demo.nuxeo.com, as well as on my local instance with Briques installed.

Change History

comment:1 Changed 14 years ago by janguenot

  • Status changed from new to assigned

I'll take a look at this this week.

comment:2 Changed 14 years ago by rspivak

  • Owner changed from janguenot to rspivak
  • Status changed from assigned to new

comment:3 Changed 14 years ago by rspivak

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in [29538].

Note: See TracTickets for help on using tickets.