Commit b3513b16 authored by Jérome Perrin's avatar Jérome Perrin

core: respect "View History" permission in ZODB History

This action should only be possible if user have View History
permission.

erp5_data_protection relies on removing the "View History" permission to
make sure users cannot see the properties before protection in the
history tab. This was supported by Base_viewHistory, but not by ZODB
History

(cherry picked from commit d2c08463)
parent cc1edf1b
from AccessControl import getSecurityManager
from zExceptions import Unauthorized
from Products.ERP5Type.Document import newTempBase from Products.ERP5Type.Document import newTempBase
portal = context.getPortalObject() portal = context.getPortalObject()
result = [] result = []
if not getSecurityManager().getUser().has_permission('View History', context):
raise Unauthorized()
def beautifyChange(change_dict): def beautifyChange(change_dict):
return ["%s:%s" % (k,change_dict[k]) for k in sorted(change_dict.keys())] return ["%s:%s" % (k,change_dict[k]) for k in sorted(change_dict.keys())]
......
...@@ -164,7 +164,9 @@ ...@@ -164,7 +164,9 @@
</item> </item>
<item> <item>
<key> <string>enabled</string> </key> <key> <string>enabled</string> </key>
<value> <string></string> </value> <value>
<persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
</value>
</item> </item>
<item> <item>
<key> <string>external_validator</string> </key> <key> <string>external_validator</string> </key>
...@@ -178,6 +180,10 @@ ...@@ -178,6 +180,10 @@
<key> <string>hidden</string> </key> <key> <string>hidden</string> </key>
<value> <string></string> </value> <value> <string></string> </value>
</item> </item>
<item>
<key> <string>input_type</string> </key>
<value> <string></string> </value>
</item>
<item> <item>
<key> <string>link_type</string> </key> <key> <string>link_type</string> </key>
<value> <string></string> </value> <value> <string></string> </value>
...@@ -312,4 +318,17 @@ ...@@ -312,4 +318,17 @@
</dictionary> </dictionary>
</pickle> </pickle>
</record> </record>
<record id="3" aka="AAAAAAAAAAM=">
<pickle>
<global name="TALESMethod" module="Products.Formulator.TALESField"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_text</string> </key>
<value> <string>python: modules[\'AccessControl\'].getSecurityManager().getUser().has_permission(\'View History\', context)</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData> </ZopeData>
...@@ -122,6 +122,29 @@ class TestZODBHistory(ERP5TypeTestCase): ...@@ -122,6 +122,29 @@ class TestZODBHistory(ERP5TypeTestCase):
# should be: create(1) + edit(60) = 61 # should be: create(1) + edit(60) = 61
self.assertEqual(len(history_list), 61) self.assertEqual(len(history_list), 61)
def test_testZODBHistorySecurity(self):
"""
Make sure ZODB History is not available when user does not have "View History" permission.
"""
self.loginByUserName('tatuya')
document = self.addOrganisation('document')
# by default, users have a link to view ZODB history in history tab
self.assertIn(
'your_zodb_history',
[field.getId() for field in document.Base_viewHistory.get_fields()])
# when user does not have "View History" permission, the link is not displayed
document.manage_permission('View History', [], 0)
self.assertNotIn(
'your_zodb_history',
[field.getId() for field in document.Base_viewHistory.get_fields()])
# accessing the form directly is not allowed either
from zExceptions import Unauthorized
self.assertRaises(Unauthorized, document.Base_viewZODBHistory)
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestZODBHistory)) suite.addTest(unittest.makeSuite(TestZODBHistory))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment