Commit 49d02258 authored by Jérome Perrin's avatar Jérome Perrin

ERP5Type/patches: prepare for removal of Products.DCWorkflowGraph

Supports the case where Products.DCWorkflowGraph is not present.
Even though we are removing Products.DCWorkflowGraph from the
software release, we don't remove this monkey patch yet, because
this monkey patch also fixed a severe security issue. We keep the
patch for the cases where a recent ERP5 runs on an old SlapOS where
the product is still there.

This change just moves the existing code in a try/except ImportError
block
parent 651deb9a
......@@ -28,29 +28,35 @@
#
##############################################################################
from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type import Permissions
# Products.DCWorkflowGraph.config does not check the return value of
# getenv('PATH'). This fails if PATH is not defined which is the case when
# running ZEO with SlapOS for example. But, Products.DCWorkflowGraph.__init__
# imports Products.DCWorkflowGraph.config as a side-effect of importing
# getGraph, so the only solution is to create a Module which will hide the
# one from DCWorkflowGraph
from types import ModuleType
dc_workflow_config_module = ModuleType('Products.DCWorkflowGraph.config')
import sys
sys.modules['Products.DCWorkflowGraph.config'] = dc_workflow_config_module
# where is 'pot'?, add your path here
import os
try:
import Products.DCWorkflowGraph
except ImportError:
pass
else:
# BBB keep Products.DCWorkflowGraph patch for a while as it solves a security issue
from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type import Permissions
# Products.DCWorkflowGraph.config does not check the return value of
# getenv('PATH'). This fails if PATH is not defined which is the case when
# running ZEO with SlapOS for example. But, Products.DCWorkflowGraph.__init__
# imports Products.DCWorkflowGraph.config as a side-effect of importing
# getGraph, so the only solution is to create a Module which will hide the
# one from DCWorkflowGraph
from types import ModuleType
dc_workflow_config_module = ModuleType('Products.DCWorkflowGraph.config')
import sys
sys.modules['Products.DCWorkflowGraph.config'] = dc_workflow_config_module
# where is 'pot'?, add your path here
import os
DOT_EXE = 'dot'
bin_search_path = []
DOT_EXE = 'dot'
bin_search_path = []
if os.name == 'nt':
if os.name == 'nt':
DOT_EXE = 'dot.exe'
# patch from Joachim Bauch bauch@struktur.de
......@@ -71,18 +77,18 @@ if os.name == 'nt':
except ImportError:
# win32 may be not installed...
pass
else:
else:
# for posix systems
DOT_EXE = 'dot'
path = os.getenv("PATH")
if path is not None:
bin_search_path = path.split(":")
dc_workflow_config_module.bin_search_path = bin_search_path
dc_workflow_config_module.DOT_EXE = DOT_EXE
dc_workflow_config_module.bin_search_path = bin_search_path
dc_workflow_config_module.DOT_EXE = DOT_EXE
def getObjectTitle(obj, REQUEST=None):
def getObjectTitle(obj, REQUEST=None):
"""
Get a state/transition title to be displayed in the graph.
......@@ -125,24 +131,25 @@ def getObjectTitle(obj, REQUEST=None):
return title
from Products.DCWorkflowGraph import DCWorkflowGraph
DCWorkflowGraph.getObjectTitle = getObjectTitle
from Products.DCWorkflowGraph import DCWorkflowGraph
DCWorkflowGraph.getObjectTitle = getObjectTitle
from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE
from zLOG import LOG, WARNING
import subprocess
from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE
from zLOG import LOG, WARNING
import subprocess
def getGraph(self, wf_id="", format="png", REQUEST=None):
def getGraph(self, wf_id="", format="png", REQUEST=None):
"""show a workflow as a graph, copy from:
"OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz
"OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz
Monkey-patched to specify font name and size as 'dot' uses Times font by
default which does not support Japanese:
Monkey-patched to fix command injection and specify font name and size as 'dot'
uses Times font by default which does not support Japanese:
http://www.graphviz.org/doc/fontfaq.txt
Another solution would be to modify fontconfig configuration so that Times
match Japanese font or to use Unifont which supports many code points.
match Japanese font or to use Unifont which supports many code points - but we
don't care, this is obsolete code.
"""
try:
pot = self.getPOT(wf_id, REQUEST)
......@@ -167,7 +174,7 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
'-Efontname=IPAexGothic', '-Efontsize=10',
'-T%s' % format),
stdin=subprocess.PIPE, stdout=subprocess.PIPE)
result = p.communicate(pot)[0]
result = p.communicate(result)[0]
setHeader('Content-Type', 'image/%s' % format)
else:
......@@ -181,14 +188,14 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
return result
DCWorkflowGraph.getGraph = getGraph
DCWorkflowGraph.getGraph = getGraph
from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
DCWorkflowDefinition.getGraph = getGraph
DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT
from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
DCWorkflowDefinition.getGraph = getGraph
DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT
security = ClassSecurityInfo()
security.declareProtected(Permissions.ManagePortal, 'getPOT')
security.declareProtected(Permissions.ManagePortal, 'getGraph')
DCWorkflowDefinition.security = security
InitializeClass(DCWorkflowDefinition)
security = ClassSecurityInfo()
security.declareProtected(Permissions.ManagePortal, 'getPOT')
security.declareProtected(Permissions.ManagePortal, 'getGraph')
DCWorkflowDefinition.security = security
InitializeClass(DCWorkflowDefinition)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment