Rewrite Base_getPossibleWorkflowActionItemList by External Method instead of...

Rewrite Base_getPossibleWorkflowActionItemList by External Method instead of Python Script having a Manager proxy role.

Because now proxy role in script affects workflow transition guard checks.

product/ERP5/bootstrap/erp5_core/ExtensionTemplateItem/portal_components/extension.erp5.FolderWorkflowActionUtils.py

@@ -198,3 +198,25 @@ def getWorkflowActionDocumentList(self, **kw):
 
   return document_list
 
+def getPossibleWorkflowActionItemList(self, brain, **kw):
+  """
+  SECURITY AUDIT - CHECKED
+  This external method should be safe, because we cannot pass brain
+  from URL.
+  """
+  portal = self.getPortalObject()
+  Base_translateString = portal.Base_translateString
+  item_list = [('', '')]
+  for action in portal.portal_actions.listFilteredActionsFor(brain).get('workflow', []):
+    transition = action.get('transition', None)
+    if transition is not None:
+      workflow_id = action['transition'].aq_parent.aq_parent.getId()
+      if workflow_id == brain.workflow_id:
+        dialog_id = action['url'].split('?', 1)[0].split('/')[-1]
+        dialog_object = getattr(portal, dialog_id, None)
+        if dialog_object is None or dialog_object.meta_type != 'ERP5 Form':
+          dialog_id = portal.Base_viewWorkflowActionDialog.getId()
+        item_list.append((Base_translateString(action['title']),
+                          '%s/%s/%s' % (workflow_id, action['id'], dialog_id)))
+
+  return item_list

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getPossibleWorkflowActionItemList.xml

@@ -2,88 +2,26 @@
 <ZopeData>
   <record id="1" aka="AAAAAAAAAAE=">
     <pickle>
-      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>Script_magic</string> </key>
-            <value> <int>3</int> </value>
+            <key> <string>_function</string> </key>
+            <value> <string>getPossibleWorkflowActionItemList</string> </value>
         </item>
         <item>
-            <key> <string>_bind_names</string> </key>
-            <value>
-              <object>
-                <klass>
-                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
-                </klass>
-                <tuple/>
-                <state>
-                  <dictionary>
-                    <item>
-                        <key> <string>_asgns</string> </key>
-                        <value>
-                          <dictionary>
-                            <item>
-                                <key> <string>name_container</string> </key>
-                                <value> <string>container</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_context</string> </key>
-                                <value> <string>context</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_m_self</string> </key>
-                                <value> <string>script</string> </value>
-                            </item>
-                            <item>
-                                <key> <string>name_subpath</string> </key>
-                                <value> <string>traverse_subpath</string> </value>
-                            </item>
-                          </dictionary>
-                        </value>
-                    </item>
-                  </dictionary>
-                </state>
-              </object>
-            </value>
-        </item>
-        <item>
-            <key> <string>_body</string> </key>
-            <value> <string>Base_translateString = context.Base_translateString\n
-portal = context.getPortalObject()\n
-item_list = [(\'\', \'\')]\n
-for action in context.portal_actions.listFilteredActionsFor(brain).get(\'workflow\', []):\n
-  transition = action.get(\'transition\', None)\n
-  if transition is not None:\n
-    workflow_id = action[\'transition\'].aq_parent.aq_parent.getId()\n
-    if workflow_id == brain.workflow_id:\n
-      dialog_id = action[\'url\'].split(\'?\', 1)[0].split(\'/\')[-1]\n
-      dialog_object = getattr(portal, dialog_id, None)\n
-      if dialog_object is None or dialog_object.meta_type != \'ERP5 Form\':\n
-        dialog_id = portal.Base_viewWorkflowActionDialog.getId()\n
-      item_list.append((Base_translateString(action[\'title\']),\n
-                        \'%s/%s/%s\' % (workflow_id, action[\'id\'], dialog_id)))\n
-\n
-return item_list\n
-</string> </value>
-        </item>
-        <item>
-            <key> <string>_params</string> </key>
-            <value> <string>brain, **kw</string> </value>
-        </item>
-        <item>
-            <key> <string>_proxy_roles</string> </key>
-            <value>
-              <tuple>
-                <string>Manager</string>
-              </tuple>
-            </value>
+            <key> <string>_module</string> </key>
+            <value> <string>FolderWorkflowActionUtils</string> </value>
         </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_getPossibleWorkflowActionItemList</string> </value>
         </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
       </dictionary>
     </pickle>
   </record>