ERP5Workflow: declare security permission for methods

product/ERP5Workflow/Document/State.py

@@ -93,6 +93,8 @@ class State(IdAsReferenceMixin("state_", "prefix"), XMLObject, CustomStorageMatr
     # return possible transition id list:
     return self.getDestinationIdList()
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getStatePermissionRolesDict')
   def getStatePermissionRolesDict(self):
     role_dict = getattr(self, 'state_permission_roles', None)
     if role_dict is None:
@@ -101,24 +103,38 @@ class State(IdAsReferenceMixin("state_", "prefix"), XMLObject, CustomStorageMatr
       self.state_permission_roles = role_dict = PersistentMapping()
     return role_dict
 
+  security.declareProtected(Permissions.ModifyPortalContent,
+                            'setStatePermissionRolesDict')
   def setStatePermissionRolesDict(self, permission_roles):
+    """
+    create a dict containing state/permission role dict
+    use a PersistentMapping so that the ZODB is updated
+    when this dict is changed
+    """
     self.state_permission_roles = PersistentMapping(permission_roles)
 
+  security.declareProtected(Permissions.ModifyPortalContent,
+                            'setPermission')
   def setPermission(self, permission, acquired, roles, REQUEST=None):
     """
     Set a permission for this State.
     """
     self.state_permission_roles[permission] = list(roles)
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getDestinationReferenceList')
   def getDestinationReferenceList(self):
     ref_list = []
     for tr in self.getDestinationValueList():
       ref_list.append(tr.getReference())
     return ref_list
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getAvailableTypeList')
   def getAvailableTypeList(self):
     """
-    This is a method specific to ERP5. This returns a list of state types, which are used for portal methods.
+    This is a method specific to ERP5. This returns a list of state types,
+    which are used for portal methods.
     """
     return (
             'draft_order',
@@ -129,6 +145,8 @@ class State(IdAsReferenceMixin("state_", "prefix"), XMLObject, CustomStorageMatr
             'current_inventory',
             )
 
+  security.declareProtected(Permissions.ModifyPortalContent,
+                            'updateCellFromCustomStorage')
   def updateCellFromCustomStorage(self, cell, **kw):
     """
     Creates a new content as a matrix box cell.

product/ERP5Workflow/Document/Workflow.py

@@ -100,8 +100,8 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
     return super(Workflow, self).__getattr__(name)
 
   def notifyCreated(self, document):
-
-    """Notifies this workflow after an object has been created and added.
+    """
+    Notifies this workflow after an object has been created and added.
     """
     try:
         self._changeStateOf(document, None)
@@ -109,6 +109,8 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
         # Swallow.
         pass
 
+  security.declareProtected(Permissions.ModifyPortalContent,
+                            'initializeDocument')
   initializeDocument = notifyCreated
 
   def _generateHistoryKey(self):
@@ -134,18 +136,21 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
 
     # Update history
     document.workflow_history[workflow_key] += (status_dict,)
-    # XXX this _p_changed marks the document modified, but the
-    # only the PersistentMapping is modified
+    # XXX this _p_changed marks the document modified, but only the
+    # PersistentMapping is modified
     # document._p_changed = 1
     # XXX this _p_changed is apparently not necessary
     #document.workflow_history._p_changed = 1
 
+  security.declarePublic('getDateTime')
   def getDateTime(self):
     """
     Return current date time.
     """
     return DateTime()
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getStateChangeInformation')
   def getStateChangeInformation(self, document, state, transition=None):
     """
     Return an object used for variable tales expression.
@@ -481,6 +486,8 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
 
       return value
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getCurrentStatusDict')
   def getCurrentStatusDict(self, document):
     """
     Get the current status dict. It's the same as _getStatusOf.
@@ -766,6 +773,7 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
     else:
         return new_sdef
 
+  security.declarePublic('wrapWorkflowMethod')
   def wrapWorkflowMethod(self, ob, method_id, func, args, kw):
     '''
     Allows the user to request a workflow action.  This method
@@ -794,14 +802,25 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
         raise ObjectMoved(ex.getNewObject(), res)
     return res
 
+  security.declareProtected(Permissions.AddPortalContent,
+                            'addTransition')
   def addTransition(self, name):
+    """
+    add a new transition to the workflow
+    """
     tr = self.newContent(portal_type='Transition')
     tr.setReference(name)
 
+  security.declareProtected(Permissions.DeleteObjects,
+                            'deleteTransitions')
   def deleteTransitions(self, name_list):
+    """
+    remove an set of transition
+    """
     for name in name_list:
       self._delObject('transition_'+name)
 
+  security.declareProtected(Permissions.AccessContentsInformation, 'showAsXML')
   def showAsXML(self, root=None):
     if root is None:
       root = Element('erp5')
@@ -1046,6 +1065,8 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
     return etree.tostring(root, encoding='utf-8',
                           xml_declaration=True, pretty_print=True)
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getPortalTypeListForWorkflow')
   # Get list of portal types for workflow
   def getPortalTypeListForWorkflow(self):
     """
@@ -1140,6 +1161,8 @@ class Workflow(IdAsReferenceMixin("", "prefix"), XMLObject):
       """
       return 1
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getCatalogVariablesFor')
   def getCatalogVariablesFor(self, ob):
       '''
       Allows this workflow to make workflow-specific variables

product/ERP5Workflow/Document/Worklist.py

@@ -102,9 +102,7 @@ class Worklist(IdAsReferenceMixin("worklist_", "prefix"), XMLObject,
         'variable_comment', 'variable_error_message', 'variable_history',\
         'variable_portal_type', 'variable_time']
 
-      """
-      Check workflow variables:
-      """
+      # Check workflow variables:
       for variable_value in self.getParentValue().objectValues(portal_type="Workflow Variable"):
         variable_id = variable_value.getId()
         workflow_variable_id_list.append(variable_id)
@@ -122,16 +120,15 @@ class Worklist(IdAsReferenceMixin("worklist_", "prefix"), XMLObject,
           self._delObject(variable_id)
           res.remove(worklist_variable_value)
 
-      """
-      Append user created worklist variables.
-      """
+      # Append user created worklist variables.
       for worklist_variable_value in self.objectValues():
         if worklist_variable_value.getId() not in workflow_variable_id_list:
           res.append(worklist_variable_value)
           workflow_variable_id_list.append(worklist_variable_value.getId())
-      LOG(" worklist '%s' has variable '%s'"%(self.getId(),workflow_variable_id_list ),0, " in Worklist.py 159")
       return res
 
+    security.declareProtected(Permissions.AccessContentsInformation,
+                              'getVarMatchKeys')
     def getVarMatchKeys(self):
         key_list = []
         if self.getMatchedPortalTypeList():
@@ -147,6 +144,8 @@ class Worklist(IdAsReferenceMixin("worklist_", "prefix"), XMLObject,
             key_list.append(dynamic_variable.getReference())
         return key_list
 
+    security.declareProtected(Permissions.AccessContentsInformation,
+                              'getVarMatch')
     def getVarMatch(self, id):
         """ return value of matched keys"""
         matches = None
@@ -186,6 +185,8 @@ class Worklist(IdAsReferenceMixin("worklist_", "prefix"), XMLObject,
         else:
           return ()
 
+    security.declareProtected(Permissions.AccessContentsInformation,
+                              'getVarMatchText')
     def getVarMatchText(self, id):
         values = self.getVarMatch(id)
         if isinstance(values, Expression):

product/ERP5Workflow/Tool/WorkflowTool.py

@@ -57,6 +57,7 @@ from Products.CMFCore.WorkflowCore import ObjectMoved, ObjectDeleted,\
                                           WorkflowException
 from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
 from Products.DCWorkflow.Expression import Expression
+from Products.DCWorkflow.permissions import ManagePortal
 from Products.DCWorkflow.Transitions import TRIGGER_WORKFLOW_METHOD
 from Products.ERP5 import _dtmldir
 from Products.ERP5.Document.BusinessTemplate import BusinessTemplateMissingDependency
@@ -106,6 +107,7 @@ class WorkflowTool(BaseTool, OriginalWorkflowTool):
 
   # Declarative Security
   security = ClassSecurityInfo()
+  security.declareObjectProtected(Permissions.AccessContentsInformation)
 
   _product_interfaces = OriginalWorkflowTool._product_interfaces
   _chains_by_type = OriginalWorkflowTool._chains_by_type
@@ -168,6 +170,7 @@ class WorkflowTool(BaseTool, OriginalWorkflowTool):
           return True
     return False
 
+  security.declareProtected(Permissions.ModifyPortalContent, 'copyWorkflow')
   def copyWorkflow(self, old_workflow_id, new_workflow_id):
     """
       Create a copy of old_workflow_id workflow
@@ -215,6 +218,8 @@ class WorkflowTool(BaseTool, OriginalWorkflowTool):
     return self._invokeWithNotification(
       workflow_list, ob, action, wf.doActionFor, (ob, action) + args, kw)
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getWorkflowValueListFor')
   def getWorkflowValueListFor(self, ob):
     """ Return a list of workflows bound to selected object, this workflow
         list may contain both DC Workflow and Workflow.
@@ -260,6 +265,8 @@ class WorkflowTool(BaseTool, OriginalWorkflowTool):
   def getObjectFromPath(self, path):
     return self.unrestrictedTraverse(path)
 
+  security.declareProtected(Permissions.AccessContentsInformation,
+                            'getWorkflowTempObjectList')
   def getWorkflowTempObjectList(self, temp_obj=1):
     """ Return a list of converted temporary workflows. Only necessary in
         Workflow Tool to get temporarilly converted DCWorkflow.
@@ -290,6 +297,8 @@ class WorkflowTool(BaseTool, OriginalWorkflowTool):
         script_path_list.append(script_path)
     return script_path_list
 
+  security.declareProtected(Permissions.ModifyPortalContent,
+                            'dc_workflow_asERP5Object')
   def dc_workflow_asERP5Object(self, dc_workflow, is_temporary=False):
     """ convert DC Workflow to New Workflow """
 

product/ERP5Workflow/mixin/guardable.py

@@ -9,9 +9,10 @@ from Persistence import Persistent
 
 from Products.CMFCore.Expression import Expression
 from Products.CMFCore.utils import _checkPermission
+from Products.ERP5Type import Permissions
+
 from Products.DCWorkflow.Expression import StateChangeInfo
 from Products.DCWorkflow.Expression import createExprContext
-from Products.DCWorkflow.permissions import ManagePortal
 from Products.DCWorkflow.utils import _dtmldir
 # XXX(WORKFLOW) remove dependencies to DCWorkflow ^
 
@@ -28,18 +29,21 @@ class GuardableMixin(object):
   guard_role = ()
 
   security = ClassSecurityInfo()
-  security.declareObjectProtected(ManagePortal)
+  security.declareObjectProtected(Permissions.ManagePortal)
 
   def isGuarded(self):
+    # Returns True if object has at least one of the guard securities set among:
+    #  * expression
+    #  * group
+    #  * permission
+    #  * role
     return self.guard_expression or self.guard_group or \
     self.guard_permission or self.guard_role
 
   def checkGuard(self, security_manager, workflow, current_object, check_roles=True, **kw):
-    """
-    Checks conditions in this guard.
-    original source code from DCWorkflow (Nexedi patched version for use of
-    proxy_roles)
-    """
+    # Checks conditions in this guard.
+    # original source code from DCWorkflow (Nexedi patched version for use of
+    # proxy_roles)
     user_roles = None
 
     def getRoles():