Reduce permission required for feed update? #4

Closed
jean opened this Issue Sep 26, 2013 · 4 comments

Comments

Projects
None yet
3 participants
Member

jean commented Sep 26, 2013

Currently feed update requires Manage portal permission. I created a user just for updating the feed, and it seems overkill for this user to have Manage permission. Wouldn't it be better to reduce this to Add portal content?

Member

cleder commented Sep 26, 2013

+1 add portal content should suffice

Member

cleder commented Sep 26, 2013

for the mega update it looks to me like

update_view = folder.unrestrictedTraverse("@@update_feed_items")

will respect the local roles/permissions
so (correct me if I am wrong) the feed harvest user only has to have local rights on that feed folder
and the mega_update view could (in my theory) be only protected by zope.view

Owner

mauritsvanrees commented Oct 1, 2013

I have updated the code to use different permissions. Adding feed items has always required the feedfeeder: Add permission, so you need at least that for updating feeds. I have added feedfeeder: Update feed for updating a single feed. The action is protected by that permission now. I have also added feedfeeder: Update all feeds as separate permission for calling the mega update. By default all three permissions are given to Manager and Site Administrator. You can change that in your own setup.

Note that updating a feed probably fails if you have the update permission but do not have the add permission.

@cleder: The unrestrictedTraverse in the mega update code actually means that the permission needed for calling @@update_feed_items on that folder are not checked at all. The View permission on mega update would then be wrong. You probably do run into errors further on when the code actually tries to add an item.

I have released 2.2 with this change.

Member

jean commented Oct 1, 2013

@mauritsvanrees awesome, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment