TypeError from plone.locking.lockable.lock_info for anonymous content creation

[raphael]

When allowing anonymous content contributions (like adding a ticket in Poi) plone.locking.lockable.lock_info bombs with a TypeError because in line 103

'creator' : lock.getCreator()[1],

fails if the creator is the anonymous user.

What seems to fix it is to just skip the subscription in that case, aka something like:

try:

creator = lock.getCreator()[1]

except TypeError:

creator = lock.getCreator()

Could someone please confirm before I commit this?

Thanks,

Raphael

[maurits]

I see that too when trying it with Poi. When I try your fix it leads me to a different error, where fullname is not defined. Easily fixed in r18038. Oh, and improved in r18039 and r18042. :-)

I first wondered if anonymous locking is perhaps not wanted and should be disabled. But locking can of course only happen when an anonymous user has edit rights. That is usually not the case. But there are exceptions like adding a PoiIssue/Response or a comment or editing a wiki page. So anonymous locking probably does make sense.

I changed your fix slightly and am so bold as to commit it, together with a test.

Two notes to that:

• When a lock is stealable, any anonymous user can steal it from any other anonymous user.
• An real user with the wondrously chosen name 'anonymous' would also be able to steal locks from all anonymous users. More seriously: all anonymous users would be able to steal his locks. We could say: "That will teach him! :)" Or we can change the fix to put creator=None in the lock_info, which your fix actually does. But that would lead to messages like "This item was locked by five minutes ago." So 'anonymous' will do fine I think. :)

I changed the info.pt (which has the html snippets for telling the user that the page is locked) so it only has a link to the author page if the author is not anonymous. See r18043.

After I submit this response I will commit the actual fix, which should automatically mark this issue as fixed I think.

[maurits]

Right, or I just set it to fixed myself in that same response. Duh. :)

[maurits]

(In [18044]) Make changes so an Anonymous User can create a lock without stumbling on a TypeError. Fixes #7246

[limi]

Maurits, please backport to 3.0 branch. :)

[maurits]

This is a fix for plone.locking, which has no Plone 3 branch. :)

[limi]

Yup, my bad. Thanks! :)

[sirgarr]

Two concerns about this fix --

(1) I don't think it is good to use the string "anonymous," which like you said a user could pick for their login name, unless you explicitly ban that elsewhere. Instead, we could just change locking.pt to read:

This item was locked <span tal:condition="lock_details/fullname">by <span i18n:name="author" tal:content="lock_details/fullname" /></span>

(2) The code isn't internationalized to allow a developer to translate the string "anonymous".

[sirgarr]

Although actually that HTML (for info.pt, not locking.pt -- I wrote it incorrectly) I suggested isn't internationalized properly.

Another solution: set creator to None; but in locking.py, replace the line "fullname = creator" with "fullname = creator or _(u'anonymous', 'anonymous_label')". That way there's no possibility for name clashes.

[maurits]

You are right sirgarr. I am improving it now.

[maurits]

(In [18066]) Again improve fix for anonymous locking: the creator is None then and only the browser view makes it "an anonymous user". Fixes #7246

[sirgarr]

Thanks! =)