[Erp5-report] r29538 - in /erp5/trunk: bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_bas...
nobody at svn.erp5.org
nobody at svn.erp5.org
Fri Oct 9 16:37:06 CEST 2009
Author: jm
Date: Fri Oct 9 16:37:02 2009
New Revision: 29538
URL: http://svn.erp5.org?rev=29538&view=rev
Log:
Role Definition: disallow giving arbitrary role using setRoleName directly
Modified:
erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml
erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml
erp5/trunk/bt5/erp5_base/bt/revision
erp5/trunk/products/ERP5/Document/RoleDefinition.py
erp5/trunk/products/ERP5/tests/testERP5Web.py
Modified: erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml
URL: http://svn.erp5.org/erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml?rev=29538&r1=29537&r2=29538&view=diff
==============================================================================
--- erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml [utf8] (original)
+++ erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml [utf8] Fri Oct 9 16:37:02 2009
@@ -54,13 +54,10 @@
<item>
<key> <string>_body</string> </key>
<value> <string>from Products.ERP5Type.Message import translateString\n
-item_list = [(\'\', \'\')]\n
\n
-for role in context.valid_roles():\n
- if role not in (\'Owner\', \'Manager\', \'Assignor\',):\n
- item_list.append((translateString(role), role))\n
-\n
-return item_list\n
+return [(translateString(role), role)\n
+ for role in context.valid_roles()\n
+ if role not in (\'Owner\', \'Manager\')]\n
</string> </value>
</item>
<item>
@@ -99,7 +96,8 @@
<tuple>
<string>Products.ERP5Type.Message</string>
<string>translateString</string>
- <string>item_list</string>
+ <string>append</string>
+ <string>$append0</string>
<string>_getiter_</string>
<string>_getattr_</string>
<string>context</string>
Modified: erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml
URL: http://svn.erp5.org/erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml?rev=29538&r1=29537&r2=29538&view=diff
==============================================================================
--- erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml [utf8] (original)
+++ erp5/trunk/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml [utf8] Fri Oct 9 16:37:02 2009
@@ -13,9 +13,9 @@
<key> <string>delegated_list</string> </key>
<value>
<list>
- <string>title</string>
<string>description</string>
<string>items</string>
+ <string>title</string>
</list>
</value>
</item>
@@ -133,7 +133,7 @@
<dictionary>
<item>
<key> <string>_text</string> </key>
- <value> <string>here/RoleDefinition_getRoleNameItemList</string> </value>
+ <value> <string>python: [(\'\',\'\')] + here.RoleDefinition_getRoleNameItemList()</string> </value>
</item>
</dictionary>
</pickle>
Modified: erp5/trunk/bt5/erp5_base/bt/revision
URL: http://svn.erp5.org/erp5/trunk/bt5/erp5_base/bt/revision?rev=29538&r1=29537&r2=29538&view=diff
==============================================================================
--- erp5/trunk/bt5/erp5_base/bt/revision [utf8] (original)
+++ erp5/trunk/bt5/erp5_base/bt/revision [utf8] Fri Oct 9 16:37:02 2009
@@ -1,1 +1,1 @@
-637
+638
Modified: erp5/trunk/products/ERP5/Document/RoleDefinition.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/Document/RoleDefinition.py?rev=29538&r1=29537&r2=29538&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/Document/RoleDefinition.py [utf8] (original)
+++ erp5/trunk/products/ERP5/Document/RoleDefinition.py [utf8] Fri Oct 9 16:37:02 2009
@@ -25,7 +25,7 @@
#
##############################################################################
-from AccessControl import ClassSecurityInfo
+from AccessControl import ClassSecurityInfo, Unauthorized
from Products.CMFCore.utils import getToolByName
from Products.ERP5Type import Permissions, PropertySheet, Constraint, interfaces
from Products.ERP5Type.XMLObject import XMLObject
@@ -49,3 +49,9 @@
, PropertySheet.DublinCore
, PropertySheet.RoleDefinition
)
+
+ def _setRoleName(self, value):
+ if value and value not in \
+ zip(*self.RoleDefinition_getRoleNameItemList())[1]:
+ raise Unauthorized("You are not allowed to give %s role" % value)
+ self._baseSetRoleName(value)
Modified: erp5/trunk/products/ERP5/tests/testERP5Web.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/tests/testERP5Web.py?rev=29538&r1=29537&r2=29538&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/tests/testERP5Web.py [utf8] (original)
+++ erp5/trunk/products/ERP5/tests/testERP5Web.py [utf8] Fri Oct 9 16:37:02 2009
@@ -1043,6 +1043,8 @@
site.get_local_roles_for_userid(person_reference))
self.assertSameSet(('Associate',),
section.get_local_roles_for_userid(person_reference))
+ self.assertRaises(Unauthorized, site_role_definition.edit,
+ role_name='Manager')
# delete Role Definition and check again (local roles must be gone too)
site.manage_delObjects(site_role_definition.getId())
More information about the Erp5-report
mailing list