Commit 49d02258 authored by Jérome Perrin's avatar Jérome Perrin

ERP5Type/patches: prepare for removal of Products.DCWorkflowGraph

Supports the case where Products.DCWorkflowGraph is not present.
Even though we are removing Products.DCWorkflowGraph from the
software release, we don't remove this monkey patch yet, because
this monkey patch also fixed a severe security issue. We keep the
patch for the cases where a recent ERP5 runs on an old SlapOS where
the product is still there.

This change just moves the existing code in a try/except ImportError
block
parent 651deb9a
...@@ -28,29 +28,35 @@ ...@@ -28,29 +28,35 @@
# #
############################################################################## ##############################################################################
from AccessControl import ClassSecurityInfo try:
from Products.ERP5Type.Globals import InitializeClass import Products.DCWorkflowGraph
from Products.ERP5Type import Permissions except ImportError:
pass
# Products.DCWorkflowGraph.config does not check the return value of else:
# getenv('PATH'). This fails if PATH is not defined which is the case when # BBB keep Products.DCWorkflowGraph patch for a while as it solves a security issue
# running ZEO with SlapOS for example. But, Products.DCWorkflowGraph.__init__ from AccessControl import ClassSecurityInfo
# imports Products.DCWorkflowGraph.config as a side-effect of importing from Products.ERP5Type.Globals import InitializeClass
# getGraph, so the only solution is to create a Module which will hide the from Products.ERP5Type import Permissions
# one from DCWorkflowGraph
from types import ModuleType # Products.DCWorkflowGraph.config does not check the return value of
dc_workflow_config_module = ModuleType('Products.DCWorkflowGraph.config') # getenv('PATH'). This fails if PATH is not defined which is the case when
# running ZEO with SlapOS for example. But, Products.DCWorkflowGraph.__init__
import sys # imports Products.DCWorkflowGraph.config as a side-effect of importing
sys.modules['Products.DCWorkflowGraph.config'] = dc_workflow_config_module # getGraph, so the only solution is to create a Module which will hide the
# one from DCWorkflowGraph
# where is 'pot'?, add your path here from types import ModuleType
import os dc_workflow_config_module = ModuleType('Products.DCWorkflowGraph.config')
import sys
sys.modules['Products.DCWorkflowGraph.config'] = dc_workflow_config_module
# where is 'pot'?, add your path here
import os
DOT_EXE = 'dot' DOT_EXE = 'dot'
bin_search_path = [] bin_search_path = []
if os.name == 'nt': if os.name == 'nt':
DOT_EXE = 'dot.exe' DOT_EXE = 'dot.exe'
# patch from Joachim Bauch bauch@struktur.de # patch from Joachim Bauch bauch@struktur.de
...@@ -71,18 +77,18 @@ if os.name == 'nt': ...@@ -71,18 +77,18 @@ if os.name == 'nt':
except ImportError: except ImportError:
# win32 may be not installed... # win32 may be not installed...
pass pass
else: else:
# for posix systems # for posix systems
DOT_EXE = 'dot' DOT_EXE = 'dot'
path = os.getenv("PATH") path = os.getenv("PATH")
if path is not None: if path is not None:
bin_search_path = path.split(":") bin_search_path = path.split(":")
dc_workflow_config_module.bin_search_path = bin_search_path dc_workflow_config_module.bin_search_path = bin_search_path
dc_workflow_config_module.DOT_EXE = DOT_EXE dc_workflow_config_module.DOT_EXE = DOT_EXE
def getObjectTitle(obj, REQUEST=None): def getObjectTitle(obj, REQUEST=None):
""" """
Get a state/transition title to be displayed in the graph. Get a state/transition title to be displayed in the graph.
...@@ -125,24 +131,25 @@ def getObjectTitle(obj, REQUEST=None): ...@@ -125,24 +131,25 @@ def getObjectTitle(obj, REQUEST=None):
return title return title
from Products.DCWorkflowGraph import DCWorkflowGraph from Products.DCWorkflowGraph import DCWorkflowGraph
DCWorkflowGraph.getObjectTitle = getObjectTitle DCWorkflowGraph.getObjectTitle = getObjectTitle
from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE from Products.DCWorkflowGraph.config import bin_search_path, DOT_EXE
from zLOG import LOG, WARNING from zLOG import LOG, WARNING
import subprocess import subprocess
def getGraph(self, wf_id="", format="png", REQUEST=None): def getGraph(self, wf_id="", format="png", REQUEST=None):
"""show a workflow as a graph, copy from: """show a workflow as a graph, copy from:
"OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz "OpenFlowEditor":http://www.openflow.it/wwwopenflow/Download/OpenFlowEditor_0_4.tgz
Monkey-patched to specify font name and size as 'dot' uses Times font by Monkey-patched to fix command injection and specify font name and size as 'dot'
default which does not support Japanese: uses Times font by default which does not support Japanese:
http://www.graphviz.org/doc/fontfaq.txt http://www.graphviz.org/doc/fontfaq.txt
Another solution would be to modify fontconfig configuration so that Times Another solution would be to modify fontconfig configuration so that Times
match Japanese font or to use Unifont which supports many code points. match Japanese font or to use Unifont which supports many code points - but we
don't care, this is obsolete code.
""" """
try: try:
pot = self.getPOT(wf_id, REQUEST) pot = self.getPOT(wf_id, REQUEST)
...@@ -167,7 +174,7 @@ def getGraph(self, wf_id="", format="png", REQUEST=None): ...@@ -167,7 +174,7 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
'-Efontname=IPAexGothic', '-Efontsize=10', '-Efontname=IPAexGothic', '-Efontsize=10',
'-T%s' % format), '-T%s' % format),
stdin=subprocess.PIPE, stdout=subprocess.PIPE) stdin=subprocess.PIPE, stdout=subprocess.PIPE)
result = p.communicate(pot)[0] result = p.communicate(result)[0]
setHeader('Content-Type', 'image/%s' % format) setHeader('Content-Type', 'image/%s' % format)
else: else:
...@@ -181,14 +188,14 @@ def getGraph(self, wf_id="", format="png", REQUEST=None): ...@@ -181,14 +188,14 @@ def getGraph(self, wf_id="", format="png", REQUEST=None):
return result return result
DCWorkflowGraph.getGraph = getGraph DCWorkflowGraph.getGraph = getGraph
from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
DCWorkflowDefinition.getGraph = getGraph DCWorkflowDefinition.getGraph = getGraph
DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT DCWorkflowDefinition.getPOT = DCWorkflowGraph.getPOT
security = ClassSecurityInfo() security = ClassSecurityInfo()
security.declareProtected(Permissions.ManagePortal, 'getPOT') security.declareProtected(Permissions.ManagePortal, 'getPOT')
security.declareProtected(Permissions.ManagePortal, 'getGraph') security.declareProtected(Permissions.ManagePortal, 'getGraph')
DCWorkflowDefinition.security = security DCWorkflowDefinition.security = security
InitializeClass(DCWorkflowDefinition) InitializeClass(DCWorkflowDefinition)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment