Cannot delete contents in user folders

Hi,

I got a strange problem on one of our Plone (4.3.7) instance. While
users may create, edit and move contents (tested with folders, pages and
files) in their personnal folders (/Members/foo and below), they cannot delete those objects.

Trying to delete objects under or below /Members/foo raises:

------
2015-11-18T10:23:07 ERROR Plone
Traceback (most recent call last):
  File "/srv/plone/buildout-cache/eggs/Products.CMFPlone-4.3.7-py2.7.egg/Products/CMFPlone/PloneTool.py", line 1252, in deleteObjectsByPaths
    obj = traverse(path)
  File "/srv/plone/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/OFS/Traversable.py", line 317, in restrictedTraverse
    return self.unrestrictedTraverse(path, default, restricted=True)
  File "/srv/plone/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/OFS/Traversable.py", line 251, in unrestrictedTraverse
    next = guarded_getattr(obj, name)
Unauthorized: You are not allowed to access 'Members' in this context
------
2015-11-18T10:23:07 ERROR plone.transformchain Unexpected error whilst trying to apply transform chain
Traceback (most recent call last):
  File "/srv/plone/buildout-cache/eggs/plone.transformchain-1.0.4-py2.7.egg/plone/transformchain/transformer.py", line 48, in __call__
    newResult = handler.transformIterable(result, encoding)
  File "/srv/plone/buildout-cache/eggs/plone.protect-3.0.15-py2.7.egg/plone/protect/auto.py", line 163, in transformIterable
    return self.transform(result, encoding)
  File "/srv/plone/buildout-cache/eggs/plone.protect-3.0.15-py2.7.egg/plone/protect/auto.py", line 267, in transform
    root = result.tree.getroot()
AttributeError: 'list' object has no attribute 'tree'

I checked our workflow (only marginally different from the intranet worflow) but I did not find anything useful :

  • /, /Members, /Members/foo, and below are all in state "internal" with nothing on their "Sharing tab" but the "inherit permissions" ticked.
  • when in the internal state the workflow gives Owner all of the 4 classic permissions (hence even "Modify portal contents"),
  • on the ZMI/Security page, the "delete objects" permission is given to owner and acquired (this page has only default settings anyway, except for collections which comes from the fact that the instance had been deployed pre-new-style collections.).
  • I checked the ownership_form of /Members/foo and every folder is owned by its respective user
  • the problem occurs is not related to a specific user (I checked with 2 or 3).
  • the problem disappears if the user is given the "Site Administrator" role.

The most strange behaviour is we can cut contents from the /Members/foo hierarchy and paste it to some other place on the web site (provided we have sufficient rights).

Given the fact that the Site Administrator role solves the problem, I compared very carefully the permissions of Owner vs Site Administrator and, while there are logically some differences, none relates to some permissions I imagine could be related to our problem; besides, as told above, the ZMI "Security" tab is unchanged hence those differences are the same on a newly created instance - that does not show the problem.

I'd greatly welcome any help because I cannot see what could be wrong or what I could check.

TIA

phep

As I see plone.protect latest version you could test if the problem goes away if you disable the latest 'security' patch with forms.

Also you are using plone.protect 3.0.15 , there's a version 3.0.16 which mentions in the changelog something with transforms and redirects. Its a long shot, but since there's also the transformchain in your backtrace and you are removing something that can trigger a redirect, could be a fix.

phep wrote at 2015-11-19 13:23 +0000:

This empty message was the result of a "reply to email". Obviously, this does not yet work properly. The message content was:

i    phep wrote at 2015-11-19 13:23 +0000:
> ...
>I got a strange problem on one of our Plone (4.3.7) instance. While
>users may create, edit and move contents (tested with folders, pages and
>files) in their personnal folders (/Members/foo and below), they cannot delete those objects.
>
>Trying to delete objects under or below /Members/foo raises:
>
>    ------
>    2015-11-18T10:23:07 ERROR Plone
>    Traceback (most recent call last):
>      File "/srv/plone/buildout-cache/eggs/Products.CMFPlone-4.3.7-py2.7.egg/Products/CMFPlone/PloneTool.py", line 1252, in deleteObjectsByPaths
>        obj = traverse(path)
>      File "/srv/plone/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/OFS/Traversable.py", line 317, in restrictedTraverse
>        return self.unrestrictedTraverse(path, default, restricted=True)
>      File "/srv/plone/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/OFS/Traversable.py", line 251, in unrestrictedTraverse
>        next = guarded_getattr(obj, name)
>    Unauthorized: You are not allowed to access 'Members' in this context

Apparently, "deleteObjectsByPaths" uses "restrictedTraverse" which
fails accessing "Member"s.

"restrictedTraverse" makes significantly stronger tests than url traversal:
Url traversal only checks access in its last step; "restrictedTraverse"
checks access in each intermediate state. Likely, this explains
that you can copy/paste but not delete things.

In my view, the use of "restrictedTraverse" in "deleteObjectsByPaths"
is a bug.


What can you do?

"restrictedTraverse" checks the so called "object permission" on the
accessed object. This is the permission used in the
"declareObjectProtected" security declaration of the corresponding
class (or one of its super classes).
Most objects use the permission "Access contents information";
but occationally, other permissions are used, e.g. "View".
The "Members" object likely uses "Access contents information" as
its "object permission".

You can check the permission to role assignments of "Members" as
Zope "Manager" via the url "<url_to_your_portal>/Members/manage_access".
In principle, "manage_access" can also change the permission to role
assignments. However, workflow may have taken over control for some
permissions and those permissions may change under workflow control,
i.e. their assignment might change back.

You could use "manage_access" to grant the "object permission" to "Members"
for all persons you want to allow deletion. At least, this will
allow you to verify, that this is indeed the problem.

If this fixes the problem, you need to check your workflow[s] and ensure
that it[they] does not take over control over the
"object permission" of "Members".

> ...
>To respond, reply to this email or visit http://community.plone.org/t/cannot-delete-contents-in-user-folders/1220/1 in your browser.

I try replying to the email for the first time. Hope, it will work.

Thank you for your help.

I used a back up of the instance when it was still in 4.3.6 with plone.protect in version 2.0. The problem is still present but there is no more error found in the client or zeoserver logs.

Yet I will give plone.protect 3.0.16 a try at the start of next week (I'm short on time today).

Thanks again.

phep

Thank you Dieter for pointing me at "manage_access".

Actually there are differences when I compare perms on a vanilla instance with perms on ours, but I've not yet found which (if any) are impacting on our problem.

I have to stop working on this problem right now but I'll be back at it next week and put the results of my tests on the forum.

Thanks again,

phep

Hi,

I finally found the culprit. In our workflow, I removed all of the 4 workflow permissions (Access contents information, Change portal events, Modify portal contents and View) from the Member role on all states but internally_published. I'm currently having a thorough look at the documentation on docs.plone.org (which was not as comprehensive as today when I started with Plone) in order to fix / avoid such problems.

Restoring Access contents information, as suggested by Dieter, solved the problem.

But this leads me to another questions:

  • how comes that this property missing from the Member role prevented people having this particular permission as Owner to delete (and only delete) objects?

Thanks in advance,

phep