Ticket #7078 (closed Bug: fixed)
Delete and cut buttons in plone3 do not show for a user that's not admin.
| Reported by: | b2jrock | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | 3.0.1 |
| Component: | Infrastructure | Keywords: | |
| Cc: |
Description
Steps to reproduce: 1) On a new plone site, create a user 2) As admin, create a new folder 3) On the sharing tab, give the previously created user full rights (add, edit, view, review) 4) Add a new page under the folder 5) From the folder contents view, notice that there is no 'Cut' or 'Delete'
Change History
comment:2 Changed 4 years ago by optilude
Right. A *major* issue. :-) I'll hold fire on downgrading this one - at least it deserves some more attention.
This is probably just down to the Contributor role not having 'Delete objects' permission. Arguably, it should, but then Contributor would be able to delete *any* object in the folder, not just those they created. I'm not sure this is exactly right either - certainly, we should agree on the intended behaviour here.
If that is all that's needed, btw, it's a pretty simple thing to customise if you don't like the default policy - it should be possible to just set this at the site root. It'd be a pretty simple fix too - just change rolemap.xml, add a migration profile step and a test.
comment:3 follow-up: ↓ 5 Changed 4 years ago by limi
Delete permissions being managed by the surrounding folder biting us again :(
I'm not sure we can let them delete everything in a folder, the classic use case (ie. plone.org news) would not be too happy about that.
Now that I think about it, it should probably be tied to the Editor role, not Contribute — since people who can edit the folder can do bad stuff too. Does that sound like a sane approach?
comment:4 Changed 4 years ago by optilude
+1 for giving 'Delete objects' to Editor. That's a more natural fit.
comment:5 in reply to: ↑ 3 ; follow-up: ↓ 6 Changed 4 years ago by dvainsencher
Replying to limi:
Delete permissions being managed by the surrounding folder biting us again :(
What about split Deletion permissions between surrounding folder and object? Something like having a role applied to container (Delete from) and the actual Delete objects applied to object.
I'm not sure we can let them delete everything in a folder, the classic use case (ie. plone.org news) would not be too happy about that.
Now that I think about it, it should probably be tied to the Editor role, not Contribute — since people who can edit the folder can do bad stuff too. Does that sound like a sane approach?
comment:6 in reply to: ↑ 5 Changed 4 years ago by optilude
Replying to dvainsencher:
What about split Deletion permissions between surrounding folder and object? Something like having a role applied to container (Delete from) and the actual Delete objects applied to object.
There's a limit to what we can do here without re-designing the security decisions made by Zope and CMF, unfortunately. :-/
Another major issue (might be a duplicate, I seem to remember a different ticket with about the same info).
These things (Add + Delete permissions) should be tied to the Contributor role.