From 1664e5419ed0f2a0ef95e6e905caa170852df31b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Fri, 15 Sep 2017 05:29:01 +0000
Subject: [PATCH] dms: do not grant permissions based on Owner role

 .. except from Draft and Submitted state.

Document security should be based on group, site, function defined on
document, sometimes publication section and or follow up, but the owner
should only be considered in draft state.

For conveniance (and compatibility), Owner is also allowed to view in
Submitted state. The use case is for when a user submit a document he
will not be allowed to see, for example because he made a mistake when
choosing properties, user is still allowed to view the document and
there's no unauthorized error.

We want to allow a user to set properties before publishing a document
and later, once the document is no longer draft, the security of the
document will be depending on these properties.

We want to prevent users to get permissions on a PDF document that would
be created by interactions and they are not supposed to see. For exemple
when we generate a PDF invoice and store it in document module. In this
case, as the interaction runs as the user, this user will have Owner
role implicitely.
---
 .../states/archived.xml                              | 12 ++----------
 .../states/assigned.xml                              |  7 +------
 .../states/cancelled.xml                             | 12 ++----------
 .../document_publication_workflow/states/hidden.xml  |  7 +------
 .../states/published.xml                             | 12 ++----------
 .../states/published_alive.xml                       |  7 +------
 .../states/released.xml                              | 12 ++----------
 .../states/released_alive.xml                        |  7 +------
 .../states/requested.xml                             |  7 +------
 .../document_publication_workflow/states/shared.xml  |  7 +------
 .../states/shared_alive.xml                          |  7 +------
 .../document_publication_workflow/states/split.xml   |  7 +------
 .../states/translated.xml                            |  7 +------
 13 files changed, 17 insertions(+), 94 deletions(-)

diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml
index 288c6cd34b..43934234c7 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml
@@ -41,18 +41,12 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
@@ -63,7 +57,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -101,7 +94,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/assigned.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/assigned.xml
index 16ec2b17eb..6ee7fcc3ef 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/assigned.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/assigned.xml
@@ -46,10 +46,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -64,7 +61,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -104,7 +100,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/cancelled.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/cancelled.xml
index c743f5a96b..17bb63e3b3 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/cancelled.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/cancelled.xml
@@ -44,18 +44,12 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
@@ -65,7 +59,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -100,7 +93,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/hidden.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/hidden.xml
index 99f9ee9bf0..45b642f2be 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/hidden.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/hidden.xml
@@ -56,10 +56,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -74,7 +71,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -114,7 +110,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published.xml
index 45a2c1b483..6e00642e18 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published.xml
@@ -48,18 +48,12 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
@@ -72,7 +66,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -112,7 +105,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published_alive.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published_alive.xml
index 9e4385b734..8448c07193 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published_alive.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/published_alive.xml
@@ -48,10 +48,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -69,7 +66,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -112,7 +108,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released.xml
index eab2209b03..c49b444491 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released.xml
@@ -50,18 +50,12 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
@@ -73,7 +67,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -112,7 +105,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released_alive.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released_alive.xml
index 67d8a0c3c3..fca7389aa1 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released_alive.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/released_alive.xml
@@ -52,10 +52,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -72,7 +69,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -114,7 +110,6 @@
                         <string>Associate</string>
                         <string>Auditor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/requested.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/requested.xml
index 5d7ed7565e..95e7829538 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/requested.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/requested.xml
@@ -46,10 +46,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -64,7 +61,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -102,7 +98,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml
index 8dcdb19f83..9c01550ee5 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml
@@ -50,10 +50,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -69,7 +66,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -107,7 +103,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared_alive.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared_alive.xml
index ba80358ac9..d0ba538ef5 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared_alive.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared_alive.xml
@@ -56,10 +56,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -75,7 +72,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -116,7 +112,6 @@
                         <string>Assignor</string>
                         <string>Associate</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/split.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/split.xml
index 70916c26b2..5b0c114ffc 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/split.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/split.xml
@@ -44,10 +44,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -62,7 +59,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -102,7 +98,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
diff --git a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/translated.xml b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/translated.xml
index bdeb5da489..276ffdc2de 100644
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/translated.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/translated.xml
@@ -48,10 +48,7 @@
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
-      <tuple>
-        <global name="PersistentMapping" module="Persistence.mapping"/>
-        <tuple/>
-      </tuple>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
     <pickle>
       <dictionary>
@@ -66,7 +63,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
@@ -104,7 +100,6 @@
                         <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
-                        <string>Owner</string>
                       </tuple>
                     </value>
                 </item>
-- 
2.30.9