Commit 8fbd45f5 authored by Julien Muchembled's avatar Julien Muchembled

Role Definition: disallow giving arbitrary role using setRoleName directly

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@29538 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent c5aa3860
...@@ -54,13 +54,10 @@ ...@@ -54,13 +54,10 @@
<item> <item>
<key> <string>_body</string> </key> <key> <string>_body</string> </key>
<value> <string>from Products.ERP5Type.Message import translateString\n <value> <string>from Products.ERP5Type.Message import translateString\n
item_list = [(\'\', \'\')]\n
\n \n
for role in context.valid_roles():\n return [(translateString(role), role)\n
if role not in (\'Owner\', \'Manager\', \'Assignor\',):\n for role in context.valid_roles()\n
item_list.append((translateString(role), role))\n if role not in (\'Owner\', \'Manager\')]\n
\n
return item_list\n
</string> </value> </string> </value>
</item> </item>
<item> <item>
...@@ -99,7 +96,8 @@ return item_list\n ...@@ -99,7 +96,8 @@ return item_list\n
<tuple> <tuple>
<string>Products.ERP5Type.Message</string> <string>Products.ERP5Type.Message</string>
<string>translateString</string> <string>translateString</string>
<string>item_list</string> <string>append</string>
<string>$append0</string>
<string>_getiter_</string> <string>_getiter_</string>
<string>_getattr_</string> <string>_getattr_</string>
<string>context</string> <string>context</string>
......
...@@ -13,9 +13,9 @@ ...@@ -13,9 +13,9 @@
<key> <string>delegated_list</string> </key> <key> <string>delegated_list</string> </key>
<value> <value>
<list> <list>
<string>title</string>
<string>description</string> <string>description</string>
<string>items</string> <string>items</string>
<string>title</string>
</list> </list>
</value> </value>
</item> </item>
...@@ -133,7 +133,7 @@ ...@@ -133,7 +133,7 @@
<dictionary> <dictionary>
<item> <item>
<key> <string>_text</string> </key> <key> <string>_text</string> </key>
<value> <string>here/RoleDefinition_getRoleNameItemList</string> </value> <value> <string>python: [(\'\',\'\')] + here.RoleDefinition_getRoleNameItemList()</string> </value>
</item> </item>
</dictionary> </dictionary>
</pickle> </pickle>
......
637 638
\ No newline at end of file \ No newline at end of file
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
# #
############################################################################## ##############################################################################
from AccessControl import ClassSecurityInfo from AccessControl import ClassSecurityInfo, Unauthorized
from Products.CMFCore.utils import getToolByName from Products.CMFCore.utils import getToolByName
from Products.ERP5Type import Permissions, PropertySheet, Constraint, interfaces from Products.ERP5Type import Permissions, PropertySheet, Constraint, interfaces
from Products.ERP5Type.XMLObject import XMLObject from Products.ERP5Type.XMLObject import XMLObject
...@@ -49,3 +49,9 @@ class RoleDefinition(XMLObject): ...@@ -49,3 +49,9 @@ class RoleDefinition(XMLObject):
, PropertySheet.DublinCore , PropertySheet.DublinCore
, PropertySheet.RoleDefinition , PropertySheet.RoleDefinition
) )
def _setRoleName(self, value):
if value and value not in \
zip(*self.RoleDefinition_getRoleNameItemList())[1]:
raise Unauthorized("You are not allowed to give %s role" % value)
self._baseSetRoleName(value)
...@@ -1043,6 +1043,8 @@ class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase): ...@@ -1043,6 +1043,8 @@ class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase):
site.get_local_roles_for_userid(person_reference)) site.get_local_roles_for_userid(person_reference))
self.assertSameSet(('Associate',), self.assertSameSet(('Associate',),
section.get_local_roles_for_userid(person_reference)) section.get_local_roles_for_userid(person_reference))
self.assertRaises(Unauthorized, site_role_definition.edit,
role_name='Manager')
# delete Role Definition and check again (local roles must be gone too) # delete Role Definition and check again (local roles must be gone too)
site.manage_delObjects(site_role_definition.getId()) site.manage_delObjects(site_role_definition.getId())
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment