From 6fa904fffc2545eaf8a0a1b978e5d4557dc7b465 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20G=C3=B3rny?= <bartek@gorny.edu.pl> Date: Wed, 1 Nov 2006 15:58:26 +0000 Subject: [PATCH] Implemented basic security settings (6 policies) git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11041 20353a03-c40f-0410-a6d1-a30d3c3de9de --- .../PortalTypeRolesTemplateItem/Text.xml | 91 +++++++-- .../erp5_dms/Document_policyApplies.xml | 184 ++++++++++++++++++ .../states/archived.xml | 2 - .../states/draft.xml | 2 - .../states/shared.xml | 4 - .../states/submitted.xml | 2 + .../transitions/retract.xml | 76 -------- .../transitions/retract_action.xml | 100 ---------- .../transitions/share_action.xml | 5 +- .../transitions/submit_action.xml | 25 +++ bt5/erp5_dms/bt/change_log | 3 + bt5/erp5_dms/bt/dependency_list | 1 - bt5/erp5_dms/bt/revision | 2 +- bt5/erp5_dms/bt/version | 2 +- 14 files changed, 294 insertions(+), 205 deletions(-) create mode 100644 bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml delete mode 100644 bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml delete mode 100644 bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml diff --git a/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml b/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml index 4d685556a1..fcf82b6872 100644 --- a/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml +++ b/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml @@ -1,43 +1,104 @@ <type_roles> <role id='Associate'> - <property id='title'>Project Assignees</property> - <property id='description'>Policy: personal/project + <property id='title'>Project Associates</property> + <property id='description'>Policy: */project Rule: all project members have a right to access document once it has been shared or released</property> - <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property> + <property id='condition'>python:object.Document_policyApplies('*/project')</property> <property id='priority'>10</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property> <multi_property id='category'></multi_property> <multi_property id='base_category'>source_project</multi_property> </role> <role id='Assignor'> - <property id='title'>P/P - Project Director</property> - <property id='description'>Policy: personal/project + <property id='title'>Project Director</property> + <property id='description'>Policy: */project Rule: project director is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property> - <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property> + <property id='condition'>python:object.Document_policyApplies('*/project')</property> <property id='priority'>10</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property> - <multi_property id='category'>function/project/director</multi_property> + <multi_property id='category'>function/knowledge/manager</multi_property> <multi_property id='base_category'>source_project</multi_property> <multi_property id='base_category'>function</multi_property> </role> <role id='Assignee'> - <property id='title'>P/P - Project Owner</property> - <property id='description'>Policy: personal/project -Rule: the creator is Assignee - can edit the doc and share it with the team</property> - <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property> + <property id='title'>Owner</property> + <property id='description'>Policy: */* +Rule: the creator is Assignee - can edit the doc and submit it</property> <property id='priority'>10</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryFromUser</property> <multi_property id='category'></multi_property> <multi_property id='base_category'>reference</multi_property> </role> <role id='Auditor'> - <property id='title'>P/P - Organisation members</property> - <property id='description'>Policy: personal/project -Rule: all people working for the same organisation are Auditors (we identify the organisation by the first part of the "group" path)</property> - <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property> + <property id='title'>Organisation members</property> + <property id='description'>Policy: */* +Rule: all people working for the same organisation are Auditors (we identify the organisation by the first part of the "group" path) +This does not apply if it is a project document and does not have a project</property> + <property id='condition'>python: not object.Document_policyApplies('*/restricted') and (object.Document_policyApplies('*/project') or not object.Document_policyApplies('*/project',True) )</property> <property id='priority'>10</property> <property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property> <multi_property id='category'></multi_property> <multi_property id='base_category'>group</multi_property> </role> + <role id='Assignee'> + <property id='title'>Project Collaborators</property> + <property id='description'>Policy: collaborative/project +Rule: all members of project team can edit the document before it is submitted, and can submit it</property> + <property id='condition'>python:object.Document_policyApplies('collaborative/project')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property> + <multi_property id='category'></multi_property> + <multi_property id='base_category'>source_project</multi_property> + </role> + <role id='Assignor'> + <property id='title'>Team Director</property> + <property id='description'>Policy: */team +Rule: team manager is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property> + <property id='condition'>python:object.Document_policyApplies('*/team')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property> + <multi_property id='category'>function/knowledge/manager</multi_property> + <multi_property id='base_category'>group</multi_property> + <multi_property id='base_category'>function</multi_property> + </role> + <role id='Associate'> + <property id='title'>Team Associates</property> + <property id='description'>Policy: */team +Rule: all team members have a right to access document once it has been shared or released</property> + <property id='condition'>python:object.Document_policyApplies('*/team')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property> + <multi_property id='category'></multi_property> + <multi_property id='base_category'>group</multi_property> + </role> + <role id='Assignee'> + <property id='title'>Team Collaborators</property> + <property id='description'>Policy: collaborative/team +Rule: all members of the team can edit the document before it is submitted, and can submit it</property> + <property id='condition'>python:object.Document_policyApplies('collaborative/team')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property> + <multi_property id='category'></multi_property> + <multi_property id='base_category'>group</multi_property> + </role> + <role id='Assignee'> + <property id='title'>Public Collaborators</property> + <property id='description'>Policy: collaborative/public +Rule: everyone in the organisation (root group) can edit the doc before it is submitted, and can suggest its publication</property> + <property id='condition'>python:object.Document_policyApplies('collaborative/public')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property> + <multi_property id='category'></multi_property> + <multi_property id='base_category'>group</multi_property> + </role> + <role id='Assignor'> + <property id='title'>Public Reviewer</property> + <property id='description'>Policy: collaborative/public +Rule: any person with knowledge/manager role can publish the document and manage access rights to it</property> + <property id='condition'>python:object.Document_policyApplies('collaborative/public')</property> + <property id='priority'>10</property> + <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property> + <multi_property id='category'>function/knowledge/manager</multi_property> + <multi_property id='base_category'>function</multi_property> + </role> </type_roles> \ No newline at end of file diff --git a/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml b/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml new file mode 100644 index 0000000000..5777f0dc39 --- /dev/null +++ b/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml @@ -0,0 +1,184 @@ +<?xml version="1.0"?> +<ZopeData> + <record id="1" aka="AAAAAAAAAAE="> + <pickle> + <tuple> + <tuple> + <string>Products.PythonScripts.PythonScript</string> + <string>PythonScript</string> + </tuple> + <none/> + </tuple> + </pickle> + <pickle> + <dictionary> + <item> + <key> <string>Python_magic</string> </key> + <value> + <none/> + </value> + </item> + <item> + <key> <string>Script_magic</string> </key> + <value> <int>3</int> </value> + </item> + <item> + <key> <string>__ac_local_roles__</string> </key> + <value> + <none/> + </value> + </item> + <item> + <key> <string>_bind_names</string> </key> + <value> + <object> + <klass> + <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/> + </klass> + <tuple/> + <state> + <dictionary> + <item> + <key> <string>_asgns</string> </key> + <value> + <dictionary> + <item> + <key> <string>name_container</string> </key> + <value> <string>container</string> </value> + </item> + <item> + <key> <string>name_context</string> </key> + <value> <string>context</string> </value> + </item> + <item> + <key> <string>name_m_self</string> </key> + <value> <string>script</string> </value> + </item> + <item> + <key> <string>name_subpath</string> </key> + <value> <string>traverse_subpath</string> </value> + </item> + </dictionary> + </value> + </item> + </dictionary> + </state> + </object> + </value> + </item> + <item> + <key> <string>_body</string> </key> + <value> <string>klass=context.getClassification()\n +if klass is None:return False\n +kl=klass.split(\'/\')\n +\n +if len(kl)==1:\n + # personal = personal/restricted\n + if kl[0]==\'personal\':kl.append(\'restricted\')\n + # collaborative = collaborative/team\n + if kl[0]==\'collaborative\':kl.append(\'team\')\n +\n +# personal/restricted is unconditional\n +if kl==[\'personal,restricted\']:\n + return policy==\'personal/restricted\'\n +\n +pol=policy.split(\'/\')\n +\n +\n +if not membershiponly:\n + # project policies do not apply if we don\'t have source_project\n + if pol[1]==\'project\':\n + if context.getSourceProject()==None:\n + return False\n +\n +# if all conditions are met, check if the policy is ok (wildcards are ok)\n +return (pol[0] in (\'*\',kl[0])) and (pol[1] in (\'*\',kl[1]))\n +</string> </value> + </item> + <item> + <key> <string>_code</string> </key> + <value> + <none/> + </value> + </item> + <item> + <key> <string>_filepath</string> </key> + <value> + <none/> + </value> + </item> + <item> + <key> <string>_owner</string> </key> + <value> + <none/> + </value> + </item> + <item> + <key> <string>_params</string> </key> + <value> <string>policy,membershiponly=False</string> </value> + </item> + <item> + <key> <string>errors</string> </key> + <value> + <tuple/> + </value> + </item> + <item> + <key> <string>func_code</string> </key> + <value> + <object> + <klass> + <global name="FuncCode" module="Shared.DC.Scripts.Signature"/> + </klass> + <tuple/> + <state> + <dictionary> + <item> + <key> <string>co_argcount</string> </key> + <value> <int>2</int> </value> + </item> + <item> + <key> <string>co_varnames</string> </key> + <value> + <tuple> + <string>policy</string> + <string>membershiponly</string> + <string>_getattr_</string> + <string>context</string> + <string>klass</string> + <string>None</string> + <string>False</string> + <string>kl</string> + <string>len</string> + <string>_getitem_</string> + <string>pol</string> + </tuple> + </value> + </item> + </dictionary> + </state> + </object> + </value> + </item> + <item> + <key> <string>func_defaults</string> </key> + <value> + <tuple> + <int>0</int> + </tuple> + </value> + </item> + <item> + <key> <string>id</string> </key> + <value> <string>Document_policyApplies</string> </value> + </item> + <item> + <key> <string>warnings</string> </key> + <value> + <tuple/> + </value> + </item> + </dictionary> + </pickle> + </record> +</ZopeData> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml index 9447f2e167..75e6306c80 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml @@ -74,7 +74,6 @@ <string>Assignee</string> <string>Assignor</string> <string>Associate</string> - <string>Auditor</string> <string>Manager</string> <string>Owner</string> </tuple> @@ -113,7 +112,6 @@ <string>Assignee</string> <string>Assignor</string> <string>Associate</string> - <string>Auditor</string> <string>Manager</string> <string>Owner</string> </tuple> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml index 4603d683ed..963154fe00 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml @@ -42,8 +42,6 @@ <tuple> <string>cancel</string> <string>cancel_action</string> - <string>share</string> - <string>share_action</string> <string>submit</string> <string>submit_action</string> </tuple> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml index 51306d28b3..289ecbe6ee 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml @@ -48,10 +48,6 @@ <tuple> <string>archive</string> <string>archive_action</string> - <string>retract</string> - <string>retract_action</string> - <string>submit</string> - <string>submit_action</string> </tuple> </value> </item> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml index 0709fad453..228b87b23c 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml @@ -48,6 +48,8 @@ <string>reject_action</string> <string>release</string> <string>release_action</string> + <string>share</string> + <string>share_action</string> </tuple> </value> </item> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml deleted file mode 100644 index 30f57116e9..0000000000 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml +++ /dev/null @@ -1,76 +0,0 @@ -<?xml version="1.0"?> -<ZopeData> - <record id="1" aka="AAAAAAAAAAE="> - <pickle> - <tuple> - <tuple> - <string>Products.DCWorkflow.Transitions</string> - <string>TransitionDefinition</string> - </tuple> - <none/> - </tuple> - </pickle> - <pickle> - <dictionary> - <item> - <key> <string>__ac_local_roles__</string> </key> - <value> - <none/> - </value> - </item> - <item> - <key> <string>_owner</string> </key> - <value> - <none/> - </value> - </item> - <item> - <key> <string>actbox_category</string> </key> - <value> <string>workflow</string> </value> - </item> - <item> - <key> <string>actbox_name</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>actbox_url</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>after_script_name</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>description</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>guard</string> </key> - <value> - <none/> - </value> - </item> - <item> - <key> <string>id</string> </key> - <value> <string>retract</string> </value> - </item> - <item> - <key> <string>new_state_id</string> </key> - <value> <string>draft</string> </value> - </item> - <item> - <key> <string>script_name</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>title</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>trigger_type</string> </key> - <value> <int>2</int> </value> - </item> - </dictionary> - </pickle> - </record> -</ZopeData> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml deleted file mode 100644 index 5683e1ee06..0000000000 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version="1.0"?> -<ZopeData> - <record id="1" aka="AAAAAAAAAAE="> - <pickle> - <tuple> - <tuple> - <string>Products.DCWorkflow.Transitions</string> - <string>TransitionDefinition</string> - </tuple> - <none/> - </tuple> - </pickle> - <pickle> - <dictionary> - <item> - <key> <string>__ac_local_roles__</string> </key> - <value> - <none/> - </value> - </item> - <item> - <key> <string>_owner</string> </key> - <value> - <none/> - </value> - </item> - <item> - <key> <string>actbox_category</string> </key> - <value> <string>workflow</string> </value> - </item> - <item> - <key> <string>actbox_name</string> </key> - <value> <string>Retract</string> </value> - </item> - <item> - <key> <string>actbox_url</string> </key> - <value> <string>%(content_url)s/BaseWorkflow_viewWorkflowActionDialog?workflow_action=retract_action</string> </value> - </item> - <item> - <key> <string>after_script_name</string> </key> - <value> <string>retract</string> </value> - </item> - <item> - <key> <string>description</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>guard</string> </key> - <value> - <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent> - </value> - </item> - <item> - <key> <string>id</string> </key> - <value> <string>retract_action</string> </value> - </item> - <item> - <key> <string>new_state_id</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>script_name</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>title</string> </key> - <value> <string></string> </value> - </item> - <item> - <key> <string>trigger_type</string> </key> - <value> <int>1</int> </value> - </item> - </dictionary> - </pickle> - </record> - <record id="2" aka="AAAAAAAAAAI="> - <pickle> - <tuple> - <tuple> - <string>Products.DCWorkflow.Guard</string> - <string>Guard</string> - </tuple> - <none/> - </tuple> - </pickle> - <pickle> - <dictionary> - <item> - <key> <string>roles</string> </key> - <value> - <tuple> - <string>Assignee</string> - <string>Owner</string> - </tuple> - </value> - </item> - </dictionary> - </pickle> - </record> -</ZopeData> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml index a750ee84bf..4dc18d9bb1 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml @@ -95,8 +95,7 @@ <key> <string>roles</string> </key> <value> <tuple> - <string>Assignee</string> - <string>Owner</string> + <string>Assignor</string> </tuple> </value> </item> @@ -117,7 +116,7 @@ <dictionary> <item> <key> <string>text</string> </key> - <value> <string>python:here.isMemberOf(\'classification/personal\')</string> </value> + <value> <string>python:here.Document_policyApplies(\'personal/*\')</string> </value> </item> </dictionary> </pickle> diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml index 4f69967f7b..adb9bba3be 100644 --- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml +++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml @@ -79,6 +79,12 @@ </pickle> <pickle> <dictionary> + <item> + <key> <string>expr</string> </key> + <value> + <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent> + </value> + </item> <item> <key> <string>roles</string> </key> <value> @@ -91,4 +97,23 @@ </dictionary> </pickle> </record> + <record id="3" aka="AAAAAAAAAAM="> + <pickle> + <tuple> + <tuple> + <string>Products.CMFCore.Expression</string> + <string>Expression</string> + </tuple> + <none/> + </tuple> + </pickle> + <pickle> + <dictionary> + <item> + <key> <string>text</string> </key> + <value> <string>python:not here.Document_policyApplies(\'*/restricted\')</string> </value> + </item> + </dictionary> + </pickle> + </record> </ZopeData> diff --git a/bt5/erp5_dms/bt/change_log b/bt5/erp5_dms/bt/change_log index 712e6c752f..df7d9d025e 100644 --- a/bt5/erp5_dms/bt/change_log +++ b/bt5/erp5_dms/bt/change_log @@ -1,3 +1,6 @@ +2006-11-01 +Implemented basic security settings (6 policies) + 2006-10-30 Removed "collaborated", added "shared" Implemented "personal/project" security classification diff --git a/bt5/erp5_dms/bt/dependency_list b/bt5/erp5_dms/bt/dependency_list index 5baeafc5b1..e69de29bb2 100644 --- a/bt5/erp5_dms/bt/dependency_list +++ b/bt5/erp5_dms/bt/dependency_list @@ -1 +0,0 @@ -erp5_project \ No newline at end of file diff --git a/bt5/erp5_dms/bt/revision b/bt5/erp5_dms/bt/revision index eff3954851..6eac4a65cd 100644 --- a/bt5/erp5_dms/bt/revision +++ b/bt5/erp5_dms/bt/revision @@ -1 +1 @@ -290 \ No newline at end of file +292 \ No newline at end of file diff --git a/bt5/erp5_dms/bt/version b/bt5/erp5_dms/bt/version index 02d77135a4..8f83716e76 100644 --- a/bt5/erp5_dms/bt/version +++ b/bt5/erp5_dms/bt/version @@ -1 +1 @@ -0.81 \ No newline at end of file +0.82 \ No newline at end of file -- 2.30.9