robert rottermann wrote:
Having read Stuarts post with a similar context I was digging trough DCWorkflow with the debugger and found that
In Shared.DC.Scripts.Bindings._getContext(self), there seems to be a new security check: getSecurityManager().validate(parent, container, '', self)
Yep, this was a real hole in PythonScripts before; the script shouldn't bind the name 'container' if the user doesn't have access to the container.
does only allow Manager to access the container of the script that is called during the DCWorkflow transition.
Any ideas?
Two possibilities: - If your script doesn't need to access container, then go to its "Bindings" tab and clear the entry for "container". The security check added in 2.6.3 won't take effect until the name is bound (there is even a unit test for that case). - If your script *does* need access to the container (which will be the "scripts" container of the workflow, IIRC), then you need to give the script a proxy role of 'Manager'. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com