[Zope-CMF] dcworkflow variables and security ManagePortal

Sune Brøndum Wøller sune at syntetisk.dk
Sun Jan 25 21:05:45 EST 2004 


> -----Original Message-----
> From: Dieter Maurer [mailto:dieter at handshake.de]
> Sent: 26. januar 2004 00:12
> To: Sune Brøndum Wøller
> Cc: Zope-Cmf at Zope. Org
> Subject: Re: [Zope-CMF] dcworkflow variables and security ManagePortal
>
>
> Sune Brøndum Wøller wrote at 2004-1-23 18:35 +0100:
> > ...
> >Here comes the real problem:
> >
> >BUT, apparently you are only allowed to 'work with'
> >variables if you have the permission
> >"ManagePortal". When my normal members submit content
> >the state_title variable is set to None. When i give the member-role
> >the permission "ManagePortal" it works, the variable is updated on
> >every transition.
> >
> >
> >In the code Variables.py:
> >
> >class VariableDefinition (SimpleItem):
> >    meta_type = 'Workflow Variable'
> >
> >    security = ClassSecurityInfo()
> >    security.declareObjectProtected(ManagePortal)
> >...
> >
> >
> >
> >Why is this so ?
> >I guess it should be changed... ?
>
> This security declaration should not be relevant for the setting
> of workflow variables (as this is done from Python product
> code not restricted by the security mechanism).
>
> In no case, should a missing permission cause a different value
> to be stored in the variable (you should get an "Unauthorized"
> exception instead).


I do get an unauthorized if I remove | nothing - se below


>
> I think, I use workflow variables successfully, i.e. I do not observe
> behaviour you report...
>
> --
> Dieter
>

I have confirmed this problem with a fresh cmf-site, a fresh
dcworkflow (classic), and Zope 2.6.2 / CMF 1.4.2


1) I create a workflow variable in the variables tab of the workflow.
It is here (not under the states or transitions) that I set the default
expression to:
state_change/new_state/title | nothing
The other settings I leave as they are.

2) I customize main_template.
the following line is added after the definiton of wf_state:

  wf_state_title python:wtool.getInfoFor(here,'state_title','');

I show wf_state_title down in the actions box.

3) I join, and submit the index_html that is created for me.
No title shows up.
I look at the attributes of index_html, and in the workflow_history
state_title is None
for the submit-action I just made.

4) I logout, and logon as manager. Reject the doc, and the title shows up.



I suspect the problem has something to do with the "new_state/title" part of
the expression:
state_change/new_state/title | nothing

since the expressions on the other variables work fine.

If I remove " | nothing" the member is asked to login when attempting a
wf-action.
If I remove /title, the same.
If I try with just state_change, it goes through. And you see :
  Status: pending
  <Products.DCWorkflow.Expression.StateChangeInfo instance at 02663864>
in the actions box.
The conclusion is you cant access the state_change/new_state object without
the "ManagePortal".

The same for :
state_change/transition
state_change/old_state

several others work fine:
state_change/object
state_change/status

(didnt try them all)

greetings, Sune

More information about the Zope-CMF mailing list