upgrade procedure?

19 views
Skip to first unread message

Hervé Cauwelier

unread,
Jul 4, 2011, 9:53:50 AM7/4/11
to djang...@googlegroups.com
Hi,

I would like to migrate from LFC 1.0.2 to 1.0.5. There is a problem with
permissions but I would like to upgrade before reporting.

I couldn't find this in the documentation. Is there something to do with
buildout?

Thanks,

Herv�

Kai Diefenbach

unread,
Jul 4, 2011, 10:04:18 AM7/4/11
to djang...@googlegroups.com
Hi, 

2011/7/4 Hervé Cauwelier <herve.c...@free.fr>

I would like to migrate from LFC 1.0.2 to 1.0.5. There is a problem with permissions but I would like to upgrade before reporting.

I couldn't find this in the documentation. Is there something to do with buildout?

no there isn't anything to do with buildout.

Actually there shouldn't be any migration. 

Please post the complete error. 

Kai

Hervé Cauwelier

unread,
Jul 4, 2011, 11:19:51 AM7/4/11
to djang...@googlegroups.com
On 04/07/2011 16:04, Kai Diefenbach wrote:
> no there isn't anything to do with buildout.
>
> Actually there shouldn't be any migration.

In the end, I ran the 1.0.5 installer and moved my code and database
into the new structure.

> Please post the complete error.

I wonder why a newly subscribed user, or a user created through the LFC
management interface, without the is_staff flag, neither groups nor
roles, has access to the management interface.

The Reader role does not change this.

Herv�

Kai Diefenbach

unread,
Jul 4, 2011, 12:27:00 PM7/4/11
to djang...@googlegroups.com
Am 04.07.2011 um 17:19 schrieb Hervé Cauwelier:
I wonder why a newly subscribed user, or a user created through the LFC management interface, without the is_staff flag, neither groups nor roles, has access to the management interface.

Because there could be local roles. 

Anyway, the above mentioned users shouldn't see any objects, right?

Kai

--
IQ++
Tel: +49 361 / 6636700
Fax: +49 361 / 6636702
Mail: kai.die...@iqpp.de
Web: http://www.iqpp.de
Skype: kai.diefenbach

Hervé Cauwelier

unread,
Jul 6, 2011, 8:20:41 AM7/6/11
to djang...@googlegroups.com
On 04/07/2011 18:27, Kai Diefenbach wrote:

> Am 04.07.2011 um 17:19 schrieb Herv� Cauwelier:
>> I wonder why a newly subscribed user, or a user created through the
>> LFC management interface, without the is_staff flag, neither groups
>> nor roles, has access to the management interface.
>
> Because there could be local roles.

There are none.

> Anyway, the above mentioned users shouldn't see any objects, right?

They only see public objects, and they can make them private and public
again.

Here are the permissions of a typical object:
http://img31.imageshack.us/img31/4505/objectpermissions.jpg

And the permission of the portal, which is the parent object, since most
permissions are inherited:
http://img36.imageshack.us/img36/2918/portalpermissions.jpg

I did not change them from the default. I'm even surprised that not all
permissions are inherited by default.

I tried the new "update permissions" utility but it changed nothing.

Herv�

Hervé Cauwelier

unread,
Jul 6, 2011, 8:27:26 AM7/6/11
to djang...@googlegroups.com
On 04/07/2011 18:27, Kai Diefenbach wrote:
> Am 04.07.2011 um 17:19 schrieb Herv� Cauwelier:
>> I wonder why a newly subscribed user, or a user created through the
>> LFC management interface, without the is_staff flag, neither groups
>> nor roles, has access to the management interface.
>
> Because there could be local roles.
>
> Anyway, the above mentioned users shouldn't see any objects, right?

And the same user with no role is allowed to see the utilities pages and
reindex objects. Though he cannot update permissions.

I made all permissions inherit from the portal and updated permissions.
The only difference is now that user can make objects private but he is
then not allowed to see them.

Herv�

Kai Diefenbach

unread,
Jul 6, 2011, 9:10:49 AM7/6/11
to djang...@googlegroups.com


2011/7/6 Hervé Cauwelier <herve.c...@free.fr>
On 04/07/2011 18:27, Kai Diefenbach wrote:
Am 04.07.2011 um 17:19 schrieb Hervé Cauwelier:
I wonder why a newly subscribed user, or a user created through the
LFC management interface, without the is_staff flag, neither groups
nor roles, has access to the management interface.

Because there could be local roles.

There are none.

But they could and users should be able to browse to them or just see them in the correct context within the manage interface. Hence all users should see the management interface. 

Anyway, the above mentioned users shouldn't see any objects, right?

They only see public objects, and they can make them private and public again.

This is a bug. There should just see them - as they would in the front end. 

Kai

Kai Diefenbach

unread,
Jul 6, 2011, 9:11:29 AM7/6/11
to djang...@googlegroups.com

2011/7/6 Hervé Cauwelier <herve.c...@free.fr>
On 04/07/2011 18:27, Kai Diefenbach wrote:
Am 04.07.2011 um 17:19 schrieb Hervé Cauwelier:
I wonder why a newly subscribed user, or a user created through the
LFC management interface, without the is_staff flag, neither groups
nor roles, has access to the management interface.

Because there could be local roles.

Anyway, the above mentioned users shouldn't see any objects, right?

And the same user with no role is allowed to see the utilities pages and reindex objects. Though he cannot update permissions.

This is also a bug.

Kai

Hervé Cauwelier

unread,
Jul 6, 2011, 1:41:49 PM7/6/11
to djang...@googlegroups.com
On 06/07/2011 15:10, Kai Diefenbach wrote:
> But they could and users should be able to browse to them or just see
> them in the correct context within the manage interface. Hence all users
> should see the management interface.

It's sad to read that you consider registered visitors of a website
being able to access the back-office is a feature.

How do you disable it completely? I mean, not just removing the links
from the template but prevent the access. I thought it was the "Manage
content" permission, but it has no effect.

Maybe I ruined my installation somehow or we just don't try to solve the
same use case.

Herv�

Kai Diefenbach

unread,
Jul 6, 2011, 2:38:28 PM7/6/11
to djang...@googlegroups.com
Am 06.07.2011 um 19:41 schrieb Hervé Cauwelier:

On 06/07/2011 15:10, Kai Diefenbach wrote:
But they could and users should be able to browse to them or just see
them in the correct context within the manage interface. Hence all users
should see the management interface.

It's sad to read that you consider registered visitors of a website being able to access the back-office is a feature.

As I said before, he won't see more than on the front end. So what is the problem here in your opinion?

Hervé Cauwelier

unread,
Jul 7, 2011, 9:33:47 AM7/7/11
to djang...@googlegroups.com
On 06/07/2011 20:38, Kai Diefenbach wrote:
> As I said before, he won't see more than on the front end. So what is
> the problem here in your opinion?

I don't find it sane that a visitor accesses the back-office. As you
have seen, there could be security flaws.

I think you have known Zope. Did you leave access to the ZMI to visitors?

Herv�

Reply all
Reply to author
Forward
0 new messages