An error occurred fetching the project authors.
  1. 04 Nov, 2016 1 commit
  2. 13 Mar, 2015 1 commit
  3. 05 Dec, 2014 1 commit
    • Sebastien Robin's avatar
      ERP5Form : solve security issues with dymanic dialog Folder_viewSearchDialog · 235c29f3
      Sebastien Robin authored
      With a non manager user, the dialog was raising an UnauthorizedError
      when accessing form properties like id or update_action.
      
      With verbose security we had :
      Unauthorized: Your user account does not have the required permission.
      Access to 'update_action' of (ERP5Form at /erp5/person_module/Folder_viewSearchDialog)
      denied. Your user account, [some account], exists at /erp5/acl_users. Access requires
      one of the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor', 'Author',
      'Manager']. Your roles in this context are ['Authenticated', 'Member'].
      
      By looking further, this regression started with the introduction of erp5_hal_json_style
      bt which install ERP5 Form portal type with "Acquire Local Roles" unchecked.
      
      By looking also at aquisition chains of usual Form :
      
      (Pdb) self.person_module.PersonModule_viewPersonList.aq_chain
      [<ERP5 Form at /erp5/PersonModule_viewPersonList used for /erp5/person_module>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>]
      
      And at the one of Folder_viewSearchDialog:
      
      (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain
      [<ERP5Form at /erp5/person_module/Folder_viewSearchDialog>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f05f0751850>]
      
      It seems fixing the acquisition chain is better option than allowing to Acquire Local
      Roles on all forms. We now have following chain for this dialog:
      
      After this patch, we have :
      (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain
      [<ERP5Form at /erp5/Folder_viewSearchDialog used for /erp5/person_module>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>]
      235c29f3
  4. 16 Oct, 2014 1 commit
  5. 04 Sep, 2014 1 commit
  6. 28 Aug, 2013 1 commit
  7. 31 Oct, 2012 1 commit
  8. 07 Feb, 2011 1 commit
  9. 03 Feb, 2011 1 commit
  10. 30 Sep, 2010 1 commit
  11. 15 Jul, 2010 1 commit
    • Sebastien Robin's avatar
      sync with trunk@37114 · c1ae57b0
      Sebastien Robin authored
      Conflicts:
      	bt5/erp5_base/bt/revision
      	bt5/erp5_simulation/DocumentTemplateItem/InvoiceSimulationRule.py
      	bt5/erp5_simulation/bt/revision
      	bt5/erp5_trade/SkinTemplateItem/portal_skins/erp5_trade/Base_viewTradeFieldLibrary.xml
      	bt5/erp5_trade/bt/change_log
      	bt5/erp5_trade/bt/revision
      	products/ERP5/Document/BusinessPath.py
      	products/ERP5/Document/SimulationMovement.py
      	products/ERP5/Document/TradeCondition.py
      	products/ERP5/Document/TradeModelLine.py
      	products/ERP5/bootstrap/erp5_mysql_innodb_catalog/bt/revision
      	products/ERP5Type/ERP5Type.py
      
      git-svn-id: https://svn.erp5.org/repos/public/erp5/sandbox/amount_generator@37129 20353a03-c40f-0410-a6d1-a30d3c3de9de
      c1ae57b0
  12. 17 Jun, 2010 1 commit
  13. 16 Jun, 2010 1 commit
  14. 02 Nov, 2009 1 commit
  15. 28 Oct, 2009 1 commit
  16. 27 Oct, 2009 2 commits
  17. 07 Oct, 2009 1 commit
  18. 02 Oct, 2009 1 commit
  19. 26 Sep, 2008 1 commit
  20. 04 Sep, 2008 1 commit
  21. 28 Aug, 2008 1 commit
  22. 01 Aug, 2008 1 commit
  23. 24 Jun, 2008 1 commit
  24. 16 Jun, 2008 1 commit
  25. 01 Apr, 2008 1 commit
  26. 20 Nov, 2007 2 commits