Commit 1ba2040e authored by Jean-Paul Smets's avatar Jean-Paul Smets

Fixed security in workflow scripts wrt state_change_object. Popup search box...

Fixed security in workflow scripts wrt state_change_object. Popup search box can now resist to missing information.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14396 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent e12d8484
...@@ -78,11 +78,14 @@ translateString = context.Base_translateString\n ...@@ -78,11 +78,14 @@ translateString = context.Base_translateString\n
vals = {}\n vals = {}\n
owner_list = context.Base_getOwnerInfoList()\n owner_list = context.Base_getOwnerInfoList()\n
vals[\'owner\'] = \'; \'.join([owner[\'title\'] for owner in owner_list])\n vals[\'owner\'] = \'; \'.join([owner[\'title\'] for owner in owner_list])\n
vals[\'moddate\'] = context.WebSite_getFancyRelativeDate(context.getModificationDate())\n if context.getModificationDate() is not None:\n
vals[\'moddate\'] = context.WebSite_getFancyRelativeDate(context.getModificationDate())\n
publdate = context.Document_getLastWorkflowStateEntryDate(state=(\'public,\'), state_name=\'validation_state\')\n publdate = context.Document_getLastWorkflowStateEntryDate(state=(\'public,\'), state_name=\'validation_state\')\n
vals[\'publdate\'] = context.WebSite_getFancyRelativeDate(publdate)\n if publdate is not None:\n
vals[\'publdate\'] = context.WebSite_getFancyRelativeDate(publdate)\n
reldate = context.Document_getLastWorkflowStateEntryDate(state=(\'released,\'), state_name=\'validation_state\')\n reldate = context.Document_getLastWorkflowStateEntryDate(state=(\'released,\'), state_name=\'validation_state\')\n
vals[\'reldate\'] = context.WebSite_getFancyRelativeDate(reldate)\n if reldate is not None:\n
vals[\'reldate\'] = context.WebSite_getFancyRelativeDate(reldate)\n
try:\n try:\n
vals[\'status\'] = context.getTranslatedValidationStateTitle() or \'\'\n vals[\'status\'] = context.getTranslatedValidationStateTitle() or \'\'\n
except AttributeError:\n except AttributeError:\n
...@@ -162,6 +165,7 @@ return context.Document_viewPopupTemplate(**vals)\n ...@@ -162,6 +165,7 @@ return context.Document_viewPopupTemplate(**vals)\n
<string>owner</string> <string>owner</string>
<string>_getitem_</string> <string>_getitem_</string>
<string>_write_</string> <string>_write_</string>
<string>None</string>
<string>publdate</string> <string>publdate</string>
<string>reldate</string> <string>reldate</string>
<string>AttributeError</string> <string>AttributeError</string>
......
...@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n ...@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n
have redundancy here)\n have redundancy here)\n
"""\n """\n
\n \n
ob=state_change.object\n ob=state_change[\'object\']\n
kw=ob.REQUEST\n kw=ob.REQUEST\n
f=kw.get(\'my_file\', None)\n f=kw.get(\'my_file\', None)\n
\n \n
...@@ -131,8 +131,9 @@ if f is not None and f:\n ...@@ -131,8 +131,9 @@ if f is not None and f:\n
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>ob</string> <string>ob</string>
<string>_getattr_</string>
<string>kw</string> <string>kw</string>
<string>None</string> <string>None</string>
<string>f</string> <string>f</string>
......
...@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n ...@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n
have redundancy here)\n have redundancy here)\n
"""\n """\n
\n \n
ob = state_change.object\n ob = state_change[\'object\']\n
kw = ob.REQUEST\n kw = ob.REQUEST\n
f = kw.get(\'my_file\', None)\n f = kw.get(\'my_file\', None)\n
\n \n
...@@ -129,8 +129,9 @@ if f is not None and f:\n ...@@ -129,8 +129,9 @@ if f is not None and f:\n
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>ob</string> <string>ob</string>
<string>_getattr_</string>
<string>kw</string> <string>kw</string>
<string>None</string> <string>None</string>
<string>f</string> <string>f</string>
......
...@@ -73,7 +73,7 @@ this is not used in current implementation\n ...@@ -73,7 +73,7 @@ this is not used in current implementation\n
because we don\'t upload files in edit\n because we don\'t upload files in edit\n
"""\n """\n
\n \n
ob=state_change.object\n ob=state_change[\'object\']\n
kw=ob.REQUEST\n kw=ob.REQUEST\n
f=kw.get(\'my_file\', None)\n f=kw.get(\'my_file\', None)\n
\n \n
...@@ -123,8 +123,9 @@ if f is not None and f:\n ...@@ -123,8 +123,9 @@ if f is not None and f:\n
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>ob</string> <string>ob</string>
<string>_getattr_</string>
<string>kw</string> <string>kw</string>
<string>None</string> <string>None</string>
<string>f</string> <string>f</string>
......
...@@ -75,7 +75,7 @@ XXX - This script must be verified, written with clean syntax \n ...@@ -75,7 +75,7 @@ XXX - This script must be verified, written with clean syntax \n
and using less horrible methods (request lookup yuk!)\n and using less horrible methods (request lookup yuk!)\n
"""\n """\n
\n \n
ob=state_change.object\n ob=state_change[\'object\']\n
kw=ob.REQUEST\n kw=ob.REQUEST\n
metafields=(\'title\',\'subject\',\'description\',\'reference\',\'version\',\'language\') # XXX hardcoded?\n metafields=(\'title\',\'subject\',\'description\',\'reference\',\'version\',\'language\') # XXX hardcoded?\n
f=kw.get(\'my_file\',None)\n f=kw.get(\'my_file\',None)\n
...@@ -139,8 +139,9 @@ if ob.hasBaseData():\n ...@@ -139,8 +139,9 @@ if ob.hasBaseData():\n
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>ob</string> <string>ob</string>
<string>_getattr_</string>
<string>kw</string> <string>kw</string>
<string>metafields</string> <string>metafields</string>
<string>None</string> <string>None</string>
...@@ -149,7 +150,6 @@ if ob.hasBaseData():\n ...@@ -149,7 +150,6 @@ if ob.hasBaseData():\n
<string>_getiter_</string> <string>_getiter_</string>
<string>mf</string> <string>mf</string>
<string>keymf</string> <string>keymf</string>
<string>_getitem_</string>
<string>_write_</string> <string>_write_</string>
</tuple> </tuple>
</value> </value>
......
...@@ -68,7 +68,7 @@ ...@@ -68,7 +68,7 @@
</item> </item>
<item> <item>
<key> <string>_body</string> </key> <key> <string>_body</string> </key>
<value> <string>o = state_change.object\n <value> <string>o = state_change[\'object\']\n
ref = o.getReference()\n ref = o.getReference()\n
if ref is None: # this shouldn\'t happen\n if ref is None: # this shouldn\'t happen\n
raise Exception(\'how on earth can reference be None?\')\n raise Exception(\'how on earth can reference be None?\')\n
...@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s ...@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>o</string> <string>o</string>
<string>_getattr_</string>
<string>ref</string> <string>ref</string>
<string>None</string> <string>None</string>
<string>Exception</string> <string>Exception</string>
......
...@@ -68,7 +68,7 @@ ...@@ -68,7 +68,7 @@
</item> </item>
<item> <item>
<key> <string>_body</string> </key> <key> <string>_body</string> </key>
<value> <string>o = state_change.object\n <value> <string>o = state_change[\'object\']\n
ref = o.getReference()\n ref = o.getReference()\n
if ref is None: # this shouldn\'t happen\n if ref is None: # this shouldn\'t happen\n
raise Exception(\'how on earth can reference be None?\')\n raise Exception(\'how on earth can reference be None?\')\n
...@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s ...@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>o</string> <string>o</string>
<string>_getattr_</string>
<string>ref</string> <string>ref</string>
<string>None</string> <string>None</string>
<string>Exception</string> <string>Exception</string>
......
...@@ -76,7 +76,7 @@ otherwise set a special variable and raise validation exception\n ...@@ -76,7 +76,7 @@ otherwise set a special variable and raise validation exception\n
"""\n """\n
from Products.DCWorkflow.DCWorkflow import ValidationFailed\n from Products.DCWorkflow.DCWorkflow import ValidationFailed\n
\n \n
ob=state_change.object\n ob=state_change[\'object\']\n
res = ob.checkConsistency()\n res = ob.checkConsistency()\n
if res:\n if res:\n
msg= \'The document is not consistent:<br/>\'\n msg= \'The document is not consistent:<br/>\'\n
...@@ -129,8 +129,9 @@ if res:\n ...@@ -129,8 +129,9 @@ if res:\n
<string>state_change</string> <string>state_change</string>
<string>Products.DCWorkflow.DCWorkflow</string> <string>Products.DCWorkflow.DCWorkflow</string>
<string>ValidationFailed</string> <string>ValidationFailed</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>ob</string> <string>ob</string>
<string>_getattr_</string>
<string>res</string> <string>res</string>
<string>msg</string> <string>msg</string>
</tuple> </tuple>
......
...@@ -70,7 +70,7 @@ ...@@ -70,7 +70,7 @@
<key> <string>_body</string> </key> <key> <string>_body</string> </key>
<value> <string encoding="cdata"><![CDATA[ <value> <string encoding="cdata"><![CDATA[
o=state_change.object\n o=state_change[\'object\']\n
u=o.getUrlString()\n u=o.getUrlString()\n
i=u.find(\'://\')\n i=u.find(\'://\')\n
if i>-1:\n if i>-1:\n
...@@ -124,11 +124,11 @@ if i>-1:\n ...@@ -124,11 +124,11 @@ if i>-1:\n
<value> <value>
<tuple> <tuple>
<string>state_change</string> <string>state_change</string>
<string>_getattr_</string> <string>_getitem_</string>
<string>o</string> <string>o</string>
<string>_getattr_</string>
<string>u</string> <string>u</string>
<string>i</string> <string>i</string>
<string>_getitem_</string>
<string>prot</string> <string>prot</string>
<string>Exception</string> <string>Exception</string>
</tuple> </tuple>
......
...@@ -68,7 +68,12 @@ ...@@ -68,7 +68,12 @@
</item> </item>
<item> <item>
<key> <string>_body</string> </key> <key> <string>_body</string> </key>
<value> <string>state_change[\'object\'].getParentValue().assignRoleToSecurityGroup()\n <value> <string>"""\n
This script updates all local roles on the object. It requires Assignor\n
proxy role since it may be called by owner in draft state.\n
"""\n
\n
state_change[\'object\'].getParentValue().assignRoleToSecurityGroup()\n
</string> </value> </string> </value>
</item> </item>
<item> <item>
...@@ -87,6 +92,14 @@ ...@@ -87,6 +92,14 @@
<key> <string>_params</string> </key> <key> <string>_params</string> </key>
<value> <string>state_change</string> </value> <value> <string>state_change</string> </value>
</item> </item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Assignor</string>
</tuple>
</value>
</item>
<item> <item>
<key> <string>errors</string> </key> <key> <string>errors</string> </key>
<value> <value>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment