[Product-Developers] Weird permission issue with invokeFactory()

Gilles Lenfant gilles.lenfant at alterway.fr
Fri Sep 2 12:20:03 UTC 2011 

Le 2 sept. 2011 à 12:35, Andreas Jung a écrit :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi there,
> 
> Plone 4.x...
> 
> I have code calling
> 
> folder.invokeFactory(some_type, id=some_id, title=.., other_attr=...)
> 
> This code works for a user with Manager role but fails for a user with
> local roles Editor, Contributor (on the folder).
> 
> The underlaying edit() call seems to require the Manager role.

IMO, this should be protected by the appropriate permission, "Modify portal content" and not for a role. 

> 
> This is intentional?
> 
> The workaround is to call the mutators of the generated object myself...
> working but not nice.

Otherwise change temporarily to a Manager role. This can be done easily in a reusable Python 2.6 context manager.

from AccessControl.SpecialUsers import system as he_can_do_everything
from AccessControl.SecurityManagement import (
    getSecurityManager, setSecurityManager, newSecurityManager
    )


class RunAsManager(object):

    def __init__(self, request):
        self.request = request

    def __enter__(self):
        self.real_sm = getSecurityManager()
        newSecurityManager(self.request, he_can_do_everything)
        return self.real_sm  # What else ?
    
    def __exit__(self, exc_type, exc_value, traceback):
        setSecurityManager(self.real_sm)
        return

Then in your app:

with RunAsManager(self.request) as dummy_sm:
    # Do something that requires Manager rights
    # (as short as possible)

This is untested but this should work. Try it ;)
-- 
Gilles Lenfant

> 
> Andreas
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQGUBAEBAgAGBQJOYLFUAAoJEADcfz7u4AZjsUoLv3ZAc+4k8KSJ2KjkKE1/iMS4
> tiJR3seciNE1jiSqYUyLSUwrX09XrjudpNeCBC7GSdp0dTR+2DE61XpHKz8i77RI
> N4GWsUzlclFveUQRvwzu1W0UGbkTTP2YXdaYGole/an0u0AP9Euz9ZGkXJVvW7Em
> L58CoUfh4lenL1ZTTPEQOKcewWpk95e/lHelaD+sM2nv67SvkETtqUFnZ+zRIHh/
> /kic+qIbxaVuf+wr+zfqbAPoEY8v+s36b6+m1pUU+ALnaz+FqPA7f0FP3u25pJO0
> PYrmCOVv1IVcuGzyujs0DyBR3p0saeIG4FKSyan7XeisvprSEiWibImB/L9fQb+w
> IOha192lpSugkZH7tGy6g1+HE0EvhHRXWHiZBMWU8JX2Odjc1PruyBxGohq4BKn9
> 40Oy7EbRzGVpqSyUK5f/xj16udKF/SqXloqh7fl+X7dUuoMKFQ3wIZVR8Md6aayl
> 7xtJGOgXtm85mCRq6YWAKA7fjDRPlQk=
> =aAiA
> -----END PGP SIGNATURE-----
> <lists.vcf>_______________________________________________
> Product-Developers mailing list
> Product-Developers at lists.plone.org
> https://lists.plone.org/mailman/listinfo/plone-product-developers

More information about the Product-Developers mailing list