[Zope-CMF] WorkFlow / Security advice

Florent Guillaume fg at nuxeo.com
Thu Mar 10 06:55:26 EST 2005 

<matt.bartolome at uniontrib.com> wrote:
> I'm looking for advice on a security/workflow issue. I'm working with
> CMFMember but this issue seems to be a CMF/DCWorkflow security issue. What I
> need to do is allow unrestricted code from a cmf tool to trigger a workflow
> transition. I keep getting unauthorized messages eventhough I have declared
> a public method.  
> 
> I have a tool that does the following:
> 
>     security.declarePublic('triggerWorkFlowAction')
>     def triggerWorkFlowAction( self,id,workflow_action,comment=''):
>         """
>         triggers workflow_action
>         """
>         mtool = getToolByName(self, 'portal_memberdata')
>         member = mtool[id].__of__(self)
>         member.portal_workflow.doActionFor(member,
>               workflow_action,
>               wf_id='member_auto_workflow')
> 
> I've traced the unauthorized error to this method in
> AccessControl.ImplPython:
> 
>     def checkPermission(self, permission, object, context):
>         # XXX proxy roles and executable owner are not checked
>         roles = rolesForPermissionOn(permission, object)
>         if isinstance(roles, basestring):
>             roles = [roles]
>         return context.user.allowed(object, roles)

This checks using the rights of the currently authenticated user for the
request.

If you want to temporarily execute code as an unrestricted user, you'll
have to call code like:

from AccessControl import getSecurityManager
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.User import UnrestrictedUser as BaseUnrestrictedUser

class UnrestrictedUser(BaseUnrestrictedUser):
    """Unrestricted user that still has an id."""
    def getId(self):
        """Return the ID of the user."""
        return self.getUserName()

And then do

user = getSecurityManager().getUser()
tmp_user = UnrestrictedUser('manager', '', ['Manager'], '')
tmp_user = tmp_user.__of__(self.acl_users) # or use appropriate context
try:
    newSecurityManager(None, tmp_user)
    ### CALL YOUR METHOD HERE ###
finally:
    newSecurityManager(None, user)

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com

More information about the Zope-CMF mailing list