[Zope-CMF] WorkFlow / Security advice
matt.bartolome at uniontrib.com
matt.bartolome at uniontrib.com
Wed Mar 9 21:35:32 EST 2005
I'm looking for advice on a security/workflow issue. I'm working with
CMFMember but this issue seems to be a CMF/DCWorkflow security issue. What I
need to do is allow unrestricted code from a cmf tool to trigger a workflow
transition. I keep getting unauthorized messages eventhough I have declared
a public method.
I have a tool that does the following:
security.declarePublic('triggerWorkFlowAction')
def triggerWorkFlowAction( self,id,workflow_action,comment=''):
"""
triggers workflow_action
"""
mtool = getToolByName(self, 'portal_memberdata')
member = mtool[id].__of__(self)
member.portal_workflow.doActionFor(member,
workflow_action,
wf_id='member_auto_workflow')
I've traced the unauthorized error to this method in
AccessControl.ImplPython:
def checkPermission(self, permission, object, context):
# XXX proxy roles and executable owner are not checked
roles = rolesForPermissionOn(permission, object)
if isinstance(roles, basestring):
roles = [roles]
return context.user.allowed(object, roles)
This is from Guard.py, if I modify check to return 1 everything works how I
want it to.
def check(self, sm, wf_def, ob):
'''
Checks conditions in this guard.
'''
pp = self.permissions
if pp:
found = 0
for p in pp:
if sm.checkPermission(p, ob):
found = 1
break
if not found:
return 0
roles = self.roles
I'm using Zope-2.7.3 CMF-1.4.7
Any advice or help would be appreciated.
Thanks,
Matt
More information about the Zope-CMF
mailing list