• Vincent Pelletier's avatar
    Products.CMFActivity.ActivityTool: Store user object in activity. · f363ac65
    Vincent Pelletier authored
    When spawning an activity, store the current security context's user in
    the Message object itself, so the activity security context can be
    re-created with the same security during activity execution.
    This allows a user to be modified (different groups, global roles, maybe
    removed altogether) after they spawned activities and before these activities
    could run.
    It also means that any temporary custom group or global role granted to
    that user (by a privilege elevation mechanism out of the scope of this
    change) will still be effective during the activity execution.
    This follows the principle that
      foo.activate(...).bar(...)
    should be equivalent to its "immediate execution" version
      foo.bar(...)
    by ensuring that the security context of the activity is the same as the
    one which was applied to the code which spawned that activity,
    independently of any intermediate configuration change - hence improving
    (deferred and fragmentary) transaction isolation.
    
    This also removes the need to look the user up, then looking up their
    assignments (and other documents involved in group computation), etc,
    saving the cost of these calls.
    
    Also, remove redundant user_name argument of Message.changeUser method.
    f363ac65
ActivityTool.py 72.3 KB