Reduce permission required for feed update?

[jean]

Currently feed update requires Manage portal permission. I created a user just for updating the feed, and it seems overkill for this user to have Manage permission. Wouldn't it be better to reduce this to Add portal content?

[cleder]

+1 add portal content should suffice

[cleder]

for the mega update it looks to me like

update_view = folder.unrestrictedTraverse("@@update_feed_items")

will respect the local roles/permissions
so (correct me if I am wrong) the feed harvest user only has to have local rights on that feed folder
and the mega_update view could (in my theory) be only protected by zope.view

[mauritsvanrees]

I have updated the code to use different permissions. Adding feed items has always required the feedfeeder: Add permission, so you need at least that for updating feeds. I have added feedfeeder: Update feed for updating a single feed. The action is protected by that permission now. I have also added feedfeeder: Update all feeds as separate permission for calling the mega update. By default all three permissions are given to Manager and Site Administrator. You can change that in your own setup.

Note that updating a feed probably fails if you have the update permission but do not have the add permission.

@cleder: The unrestrictedTraverse in the mega update code actually means that the permission needed for calling @@update_feed_items on that folder are not checked at all. The View permission on mega update would then be wrong. You probably do run into errors further on when the code actually tries to add an item.

I have released 2.2 with this change.

[jean]

@mauritsvanrees awesome, thank you!