portal_factory doesn't copy locally assigned permissions correctly from intended_parent

[dom_1]

For some reason, the changed FactoryTool doesn't seem to copy across permissions correctly from intended_parent to tempFolder in the _getTempFolder() function.

For example, I have a Role, Editor. I assign that role the "addCustomObject" permission on the folder /somewhere/test. I then try to add an object to /somewhere/test which requires the addCustomObject permission. This fails because the correct permissions are never copied from intended_parent to tempFolder. You can prove this by assigning some permissions to roles on your test folderr and then adding a raise str(intended_parent.ac_inherited_permissions(1)) to the method, just before the copy process, to try to view role assignments. You'll find that they're not shown.

Now, I don't understand why this is happening, because adding a raise str(intended_parent.permission_settings()) to the same place *does* show the correct permission assignments, so I assume there must be some weirdnesss with the acquisition context going on.

FWIW, and as a proof of concept, I recycled an old method I had kicking around to copy permissions between objects using the output of permission_settings(). Commenting out:

# for p in intended_parent.ac_inherited_permissions(1): # name, value = p[:2] # p=Permission(name,value,self) # roles=p.getRoles(default=[]) # tempFolder.manage_permission(name, tuple(roles), acquire=type(roles) is ListType)

and replacing with:

copyPermissions(tempFolder, intended_parent.permission_settings())

yields the correct results. The copyPermissions() function is horrible (see below), but, as I say, this was a proof of concept. Anyone any idea why intended_parent.ac_inherited_permissions(1) doesn't tally with intended_parent.permission_settings() in the context of the _getTempFolder() function? IS there a much simpler fix?

DEBUG=1 import zLOG def copyPermissions(self, src_permissions):

#First deal with the acquisition settings: acquired_permissions = [permsdictname? for permsdict in src_permissions if permsdictacquire?] self.manage_acquiredPermissions(permissions = acquired_permissions)

if DEBUG: zLOG.LOG("copyPermissions", zLOG.INFO, "Setting %s acquired permissions on %s." % (str(acquired_permissions), '/'.join(self.getPhysicalPath())))

#Now handle the role allocations

valid_roles = self.valid_roles() set_roles = {} for settings_dict in src_permissions:

checked_roles = [role_dictname? for role_dict in settings_dictroles? if role_dictchecked?] for role in checked_roles:

role_name = valid_roles[int(role[role.find('r')+1:])] if not set_roles.has_key(role_name):

set_roles[role_name] = []

existing_permissions = set_roles[role_name]

existing_permissions.append(settings_dictname?) set_roles[role_name] = existing_permissions

for role in set_roles.keys():

if DEBUG: zLOG.LOG("copyPermissions", zLOG.INFO, "Setting %s role to have %s permissions on %s." % (role, str(set_roles[role]), '/'.join(self.getPhysicalPath()))) self.manage_role(role_to_manage=role, permissions=set_roles[role])

#Clear the bizarre situation whereby Manager seems to be given everything explicitly

if not set_roles.has_key('Manager'):

self.manage_role(role_to_manage='Manager', permissions=[])

[dom_1]

Finally fixed - HTH. FWIW, this is a blocking bug - you can't use custom the portal_factory for objects with custom add permissions set and local role allocations until this is updated. Patch below.

* Products/CMFPlone/FactoryTool.py.orig 2005-01-21 16:24:31.000000000 +0000 --- Products/CMFPlone/FactoryTool.py 2005-01-21 16:24:50.000000000 +0000 * * 356,362

intended_parent = aq_parent(self) for p in intended_parent.ac_inherited_permissions(1):

name, value = p[:2]

! p=Permission(name,value,self)

roles=p.getRoles(default=[]) tempFolder.manage_permission(name, tuple(roles), acquire=type(roles) is ListType)

factory_info[type_name] = tempFolder

--- 356,362 ----

intended_parent = aq_parent(self) for p in intended_parent.ac_inherited_permissions(1):

name, value = p[:2]

! p=Permission(name,value,intended_parent)

roles=p.getRoles(default=[]) tempFolder.manage_permission(name, tuple(roles), acquire=type(roles) is ListType)

factory_info[type_name] = tempFolder

[limi]

This should definitely be fixed for 2.1.

[marcS]

The patch proposed by dom_1 works fine for me if the permissions in question are set directly on the intended parent folder; but if they are acquired from a parent folder, I still get "insufficient privileges" / "You are not allowed to access 'addDocument' in this context" error messages.

[geoff]

Ok, this is now fixed properly, and I have added a test. You should be able to grab FactoryTool.py from SVN and use it in Plone 2.0.x if you need to backport the fix.