dms: do not grant permissions based on Owner role
.. except from Draft and Submitted state. Document security should be based on group, site, function defined on document, sometimes publication section and or follow up, but the owner should only be considered in draft state. For conveniance (and compatibility), Owner is also allowed to view in Submitted state. The use case is for when a user submit a document he will not be allowed to see, for example because he made a mistake when choosing properties, user is still allowed to view the document and there's no unauthorized error. We want to allow a user to set properties before publishing a document and later, once the document is no longer draft, the security of the document will be depending on these properties. We want to prevent users to get permissions on a PDF document that would be created by interactions and they are not supposed to see. For exemple when we generate a PDF invoice and store it in document module. In this case, as the interaction runs as the user, this user will have Owner role implicitely.
Showing with 17 additions and 94 deletions