[Zope-CMF] WorkFlow / Security advice

matt.bartolome at uniontrib.com matt.bartolome at uniontrib.com
Wed Mar 9 21:35:32 EST 2005


I'm looking for advice on a security/workflow issue. I'm working with
CMFMember but this issue seems to be a CMF/DCWorkflow security issue. What I
need to do is allow unrestricted code from a cmf tool to trigger a workflow
transition. I keep getting unauthorized messages eventhough I have declared
a public method.  

I have a tool that does the following:

    security.declarePublic('triggerWorkFlowAction')
    def triggerWorkFlowAction( self,id,workflow_action,comment=''):
        """
        triggers workflow_action
        """
        mtool = getToolByName(self, 'portal_memberdata')
        member = mtool[id].__of__(self)
        member.portal_workflow.doActionFor(member,
              workflow_action,
              wf_id='member_auto_workflow')

I've traced the unauthorized error to this method in
AccessControl.ImplPython:

    def checkPermission(self, permission, object, context):
        # XXX proxy roles and executable owner are not checked
        roles = rolesForPermissionOn(permission, object)
        if isinstance(roles, basestring):
            roles = [roles]
        return context.user.allowed(object, roles)

This is from Guard.py, if I modify check to return 1 everything works how I
want it to.

    def check(self, sm, wf_def, ob):
        '''
        Checks conditions in this guard.
        '''
        pp = self.permissions
        if pp:
            found = 0
            for p in pp:
                if sm.checkPermission(p, ob):
                    found = 1
                    break
            if not found:
                return 0
        roles = self.roles

I'm using Zope-2.7.3 CMF-1.4.7

Any advice or help would be appreciated.
Thanks,
Matt



More information about the Zope-CMF mailing list