[Erp5-dev] "Allowed content type" does not matter?

bartek bartek at erp5.pl
Wed Feb 14 15:40:00 CET 2007 

Ivan Tyagov wrote:
> Hi,
> 
>> We have just find out on our site that its possible to add a content 
>> to an object regardless of the settings in "Allowed content type" box.
>>
>> For instance, it was possible to add (by the script) a Person to a 
>> Person, despite the fact that Person is not an allowed content type 
>> for Person.
> 
> Yes, it's possible because such a check is not applied.
> This patch to Products.ERP5Type.Core.Folder (see attached) implements 
> this check but still it's not tested thoroughly. You can try it and 
> maybe send feedback?

The weird thing about it is that some time ago it did work as expected - 
  if you tried to add an object of a type which was not in allowed 
types, the system would raise an exception. So the check was 
implemented, but apparently is not there anymore. Was it removed, or what?

Bartek

> 
>> I've made an svn update for products but the problem persists.
> It should persists. Patch is not (yet) applied to SVN.
> 
>> Is it really a bug?
> I think we can classify it as a bug unless that's the "expected/normal" 
> behavior?
> 
> Regards
> Ivan
> 
> 
> ------------------------------------------------------------------------
> 
> Index: Folder.py
> ===================================================================
> --- Folder.py	(revision 12682)
> +++ Folder.py	(working copy)
> @@ -88,7 +88,13 @@
>        # XXX This feature is very confusing 
>        # And made the code more difficult to update
>        portal_type = container.allowedContentTypes()[0].id
> -
> +    # is portal_type allowed to add ?
> +    allowed_content_types = []
> +    for pt in container.allowedContentTypes():
> +      allowed_content_types.append(pt.id)
> +    if portal_type not in allowed_content_types and not container.isTempObject():
> +      raise RuntimeError, \
> +            "You are not allowed to add %s type to container (%s)." %(portal_type, container.getRelativeUrl())
>      if temp_object:
>        from Products.ERP5Type import Document
>        # we get an object from factory only for first temp container object
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Erp5-dev mailing list
> Erp5-dev at erp5.org
> http://erp5.org/mailman/listinfo/erp5-dev

More information about the Erp5-dev mailing list