[Zope-CMF] WorkFlow / Security advice

Dieter Maurer dieter at handshake.de
Thu Mar 10 14:19:06 EST 2005


matt.bartolome at uniontrib.com wrote at 2005-3-9 18:35 -0800:
>I'm looking for advice on a security/workflow issue. I'm working with
>CMFMember but this issue seems to be a CMF/DCWorkflow security issue. What I
>need to do is allow unrestricted code from a cmf tool to trigger a workflow
>transition. I keep getting unauthorized messages eventhough I have declared
>a public method.  

The workflow has no notion of "called by trusted code" -- it perform
security locally and independent of where "doActionFor" has been
called (whether or not is was called from trusted or untrusted code,
this means).

If the transition in only called programmatically, you
can clear its action related fields. Then the transition
does not generate an action (and is invisible at the user interface).
You can then check in a script (before) that it is only called
by trusted code (e.g. because it was called with a secret argument).

-- 
Dieter


More information about the Zope-CMF mailing list