fixup! erp5_dms: update document_publication_workflow permissions

bt5/erp5_web_shacache/ExtensionTemplateItem/portal_components/extension.erp5.ShaCache.py

@@ -28,6 +28,7 @@
 
 
 import hashlib, httplib
+from Products.ERP5Type.UnrestrictedMethod import super_user
 
 
 def WebSection_getDocumentValue(self, key, portal=None, language=None,\
@@ -105,7 +106,9 @@ def WebSite_viewAsWebPost(self, *args, **kwargs):
   document = portal.portal_contributions.newContent(file=file,
     filename='shacache', discover_metadata=False, reference=sha512sum,
     content_type='application/octet-stream')
-  document.publish()
+  with super_user():
+    # security check should be done already.
+    document.publish()
 
   self.REQUEST.RESPONSE.setStatus(httplib.CREATED)
   return sha512sum

bt5/erp5_web_shadir/ExtensionTemplateItem/portal_components/extension.erp5.ShaDir.py

@@ -30,6 +30,7 @@ import hashlib
 import json
 import validictory
 from Products.ERP5Type.Document import newTempFile
+from Products.ERP5Type.UnrestrictedMethod import super_user
 
 
 def WebSection_getDocumentValue(self, key, portal=None, language=None,\
@@ -99,7 +100,9 @@ def WebSection_setObject(self, id, ob, **kw):
   if data_set is None:
     data_set = portal.data_set_module.newContent(portal_type='Data Set',
                                                  reference=id)
-    data_set.publish()
+    with super_user():
+      # security check should be done already.
+      data_set.publish()
 
 
   reference = hashlib.sha512(data).hexdigest()
@@ -109,7 +112,9 @@ def WebSection_setObject(self, id, ob, **kw):
   ob.setReference(reference)
   if expiration_date is not None:
     ob.setExpirationDate(expiration_date)
-  ob.publish()
+  with super_user():
+    # security check should be done already.
+    ob.publish()
   return ob
 
 def WebSection_putFactory(self, name, typ, body):

bt5/erp5_web_ung_theme/SkinTemplateItem/portal_skins/erp5_web_ung_theme/WebPage_shareDocument.xml

@@ -65,6 +65,20 @@ return "%s/?key=%s" % (base_url, context.getReference())\n
             <key> <string>_params</string> </key>
             <value> <string></string> </value>
         </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Assignor</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>WebPage_shareDocument</string> </value>
@@ -72,4 +86,23 @@ return "%s/?key=%s" % (base_url, context.getReference())\n
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>roles</string> </key>
+            <value>
+              <tuple>
+                <string>Assignor</string>
+                <string>Auditor</string>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/networkcache_erp5/TestTemplateItem/portal_components/test.erp5.testShaCacheSecurity.py

@@ -129,18 +129,20 @@ class TestShaCacheSecurity(ShaCacheMixin, ShaSecurityMixin, SecurityTestCase):
 
       It also must check if document can be published alive.
     """
-    self.changeUser(self.lucas_user)
     for module in ('image_module', 'document_module',):
       module = getattr(self.portal, module)
       for portal_type in module.getVisibleAllowedContentTypeList():
+        self.changeUser(self.lucas_user)
         document = module.newContent(portal_type=portal_type)
 
         document()
         document.view()
 
+        self.login()
         document.publishAlive()
         self.tic()
 
+        self.changeUser(self.lucas_user)
         self.assertEqual('Published Alive',
                             document.getValidationStateTitle())
 
@@ -181,6 +183,7 @@ class TestShaCacheSecurity(ShaCacheMixin, ShaSecurityMixin, SecurityTestCase):
 
         self.changeUser(self.toto_user)
         document = module.newContent(portal_type=portal_type)
+        self.login()
         document.publishAlive()
         self.tic()
 

bt5/networkcache_erp5/TestTemplateItem/portal_components/test.erp5.testShaDirSecurity.py

@@ -120,8 +120,10 @@ class TestShaDirSecurity(ShaDirMixin, ShaSecurityMixin, SecurityTestCase):
     data_set()
     data_set.view()
 
+    self.login()
     data_set.publish()
     self.tic()
+    self.changeUser(self.lucas_user)
     self.assertEqual('Published', data_set.getValidationStateTitle())
 
     self.assertUserHaveRoleOnDocument(self.lucas_user, 'Auditor', data_set)
@@ -147,6 +149,7 @@ class TestShaDirSecurity(ShaDirMixin, ShaSecurityMixin, SecurityTestCase):
     data_set = self.portal.data_set_module.newContent(
                            portal_type='Data Set',
                            reference=self.key)
+    self.login()
     data_set.publish()
     self.tic()
 
@@ -167,9 +170,11 @@ class TestShaDirSecurity(ShaDirMixin, ShaSecurityMixin, SecurityTestCase):
     document()
     document.view()
 
+    self.login()
     document.publishAlive()
     self.tic()
 
+    self.changeUser(self.lucas_user)
     self.assertEqual('Published Alive', document.getValidationStateTitle())
     self.assertUserHaveRoleOnDocument(self.lucas_user, 'Auditor', document)
 
@@ -191,6 +196,7 @@ class TestShaDirSecurity(ShaDirMixin, ShaSecurityMixin, SecurityTestCase):
     """
     self.changeUser(self.toto_user)
     document = self.portal.document_module.newContent(portal_type='Text')
+    self.login()
     document.publishAlive()
     self.tic()