Adding objects requires permission zope.app.dublincore.change

Bug #98124 reported by Albertas Agejevas
2
Affects Status Importance Assigned to Milestone
Zope 3
Fix Released
High
Unassigned

Bug Description

Suppose we have a permission 'schoolbell.create' that lets users create objects.
If a user that has this permission try to add an object with an add form, he gets
an error:

[...]
      File "Zope3/src/zope/interface/adapter.py", line 468, in subscribers
        return [subscription(*objects) for subscription in subscriptions]
      File "Zope3/src/zope/app/dublincore/timeannotators.py", line 26, in ModifiedAnnotator
        dc.modified = datetime.utcnow()
    Unauthorized: (<zope.app.dublincore.annotatableadapter.ZDCAnnotatableAdapter object at 0x41ab230c>, 'modified', 'zope.app.dublincore.change')

Suggested solution: unwrap the dc adapter with removeSecurityProxy in the IObjectModifiedEvent handler. After all, not all principals that can add/modify objects must have the zope.app.dublincore.change permission.

I'll commit this solution in a few moments as it keeps my functional tests from passing. The solution will not have tests as the situation requires a lot of setup to reproduce.

Revision history for this message
Albertas Agejevas (alga) wrote :

Suggested fix committed in revision 29304.

Revision history for this message
Stephan Richter (srichter) wrote :

Changes: submitter email, importance (medium => urgent)

Revision history for this message
Albertas Agejevas (alga) wrote :

Committed a similar hack to src/zope/app/dublincore/creatorannotator.py in revision 30001.

Revision history for this message
Albertas Agejevas (alga) wrote :
Revision history for this message
Julien Anguenot (anguenot) wrote :

Can we close this bug ?

Latest discussion :

http://mail.zope.org/pipermail/zope3-dev/2005-June/014795.html

Revision history for this message
Stephan Richter (srichter) wrote :

Status: Pending => Resolved

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.