Fixed security in workflow scripts wrt state_change_object. Popup search box...

Fixed security in workflow scripts wrt state_change_object. Popup search box can now resist to missing information.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14396 20353a03-c40f-0410-a6d1-a30d3c3de9de

bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_getPopupInfo.xml

@@ -78,11 +78,14 @@ translateString = context.Base_translateString\n
 vals = {}\n
 owner_list = context.Base_getOwnerInfoList()\n
 vals[\'owner\'] = \'; \'.join([owner[\'title\'] for owner in owner_list])\n
-vals[\'moddate\'] = context.WebSite_getFancyRelativeDate(context.getModificationDate())\n
+if context.getModificationDate() is not None:\n
+  vals[\'moddate\'] = context.WebSite_getFancyRelativeDate(context.getModificationDate())\n
 publdate = context.Document_getLastWorkflowStateEntryDate(state=(\'public,\'), state_name=\'validation_state\')\n
-vals[\'publdate\'] = context.WebSite_getFancyRelativeDate(publdate)\n
+if publdate is not None:\n
+  vals[\'publdate\'] = context.WebSite_getFancyRelativeDate(publdate)\n
 reldate = context.Document_getLastWorkflowStateEntryDate(state=(\'released,\'), state_name=\'validation_state\')\n
-vals[\'reldate\'] = context.WebSite_getFancyRelativeDate(reldate)\n
+if reldate is not None:\n
+  vals[\'reldate\'] = context.WebSite_getFancyRelativeDate(reldate)\n
 try:\n
   vals[\'status\'] = context.getTranslatedValidationStateTitle() or \'\'\n
 except AttributeError:\n
@@ -162,6 +165,7 @@ return context.Document_viewPopupTemplate(**vals)\n
                             <string>owner</string>
                             <string>_getitem_</string>
                             <string>_write_</string>
+                            <string>None</string>
                             <string>publdate</string>
                             <string>reldate</string>
                             <string>AttributeError</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_interaction_workflow/scripts/CheckKnownType.xml

@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n
 have redundancy here)\n
 """\n
 \n
-ob=state_change.object\n
+ob=state_change[\'object\']\n
 kw=ob.REQUEST\n
 f=kw.get(\'my_file\', None)\n
 \n
@@ -131,8 +131,9 @@ if f is not None and f:\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>ob</string>
+                            <string>_getattr_</string>
                             <string>kw</string>
                             <string>None</string>
                             <string>f</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_interaction_workflow/scripts/CheckUnKnownType.xml

@@ -74,7 +74,7 @@ XXX (the same is done in Document_uploadFile - seems that we\n
 have redundancy here)\n
 """\n
 \n
-ob = state_change.object\n
+ob = state_change[\'object\']\n
 kw = ob.REQUEST\n
 f = kw.get(\'my_file\', None)\n
 \n
@@ -129,8 +129,9 @@ if f is not None and f:\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>ob</string>
+                            <string>_getattr_</string>
                             <string>kw</string>
                             <string>None</string>
                             <string>f</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_interaction_workflow/scripts/IngestAfterUpload.xml

@@ -73,7 +73,7 @@ this is not used in current implementation\n
 because we don\'t upload files in edit\n
 """\n
 \n
-ob=state_change.object\n
+ob=state_change[\'object\']\n
 kw=ob.REQUEST\n
 f=kw.get(\'my_file\', None)\n
 \n
@@ -123,8 +123,9 @@ if f is not None and f:\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>ob</string>
+                            <string>_getattr_</string>
                             <string>kw</string>
                             <string>None</string>
                             <string>f</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_interaction_workflow/scripts/OOoDocument_updateMetadata.xml

@@ -75,7 +75,7 @@ XXX - This script must be verified, written with clean syntax \n
 and using less horrible methods (request lookup yuk!)\n
 """\n
 \n
-ob=state_change.object\n
+ob=state_change[\'object\']\n
 kw=ob.REQUEST\n
 metafields=(\'title\',\'subject\',\'description\',\'reference\',\'version\',\'language\') # XXX hardcoded?\n
 f=kw.get(\'my_file\',None)\n
@@ -139,8 +139,9 @@ if ob.hasBaseData():\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>ob</string>
+                            <string>_getattr_</string>
                             <string>kw</string>
                             <string>metafields</string>
                             <string>None</string>
@@ -149,7 +150,6 @@ if ob.hasBaseData():\n
                             <string>_getiter_</string>
                             <string>mf</string>
                             <string>keymf</string>
-                            <string>_getitem_</string>
                             <string>_write_</string>
                           </tuple>
                         </value>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/scripts/archivePublicVersion.xml

@@ -68,7 +68,7 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>o = state_change.object\n
+            <value> <string>o = state_change[\'object\']\n
 ref = o.getReference()\n
 if ref is None: # this shouldn\'t happen\n
   raise Exception(\'how on earth can reference be None?\')\n
@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>o</string>
+                            <string>_getattr_</string>
                             <string>ref</string>
                             <string>None</string>
                             <string>Exception</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/scripts/archiveReleasedVersion.xml

@@ -68,7 +68,7 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>o = state_change.object\n
+            <value> <string>o = state_change[\'object\']\n
 ref = o.getReference()\n
 if ref is None: # this shouldn\'t happen\n
   raise Exception(\'how on earth can reference be None?\')\n
@@ -121,8 +121,9 @@ for ob in [r.getObject() for r in res]: # again, this should never happen, but s
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>o</string>
+                            <string>_getattr_</string>
                             <string>ref</string>
                             <string>None</string>
                             <string>Exception</string>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/scripts/checkValidity.xml

@@ -76,7 +76,7 @@ otherwise set a special variable and raise validation exception\n
 """\n
 from Products.DCWorkflow.DCWorkflow import ValidationFailed\n
 \n
-ob=state_change.object\n
+ob=state_change[\'object\']\n
 res = ob.checkConsistency()\n
 if res:\n
   msg= \'The document is not consistent:<br/>\'\n
@@ -129,8 +129,9 @@ if res:\n
                             <string>state_change</string>
                             <string>Products.DCWorkflow.DCWorkflow</string>
                             <string>ValidationFailed</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>ob</string>
+                            <string>_getattr_</string>
                             <string>res</string>
                             <string>msg</string>
                           </tuple>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/external_document_interaction_workflow/scripts/FixUrlString.xml

@@ -70,7 +70,7 @@
             <key> <string>_body</string> </key>
             <value> <string encoding="cdata"><![CDATA[
 
-o=state_change.object\n
+o=state_change[\'object\']\n
 u=o.getUrlString()\n
 i=u.find(\'://\')\n
 if i>-1:\n
@@ -124,11 +124,11 @@ if i>-1:\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>o</string>
+                            <string>_getattr_</string>
                             <string>u</string>
                             <string>i</string>
-                            <string>_getitem_</string>
                             <string>prot</string>
                             <string>Exception</string>
                           </tuple>

bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/local_permission_interaction_workflow/scripts/Parent_updateAllLocalRoles.xml

@@ -68,7 +68,12 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>state_change[\'object\'].getParentValue().assignRoleToSecurityGroup()\n
+            <value> <string>"""\n
+This script updates all local roles on the object. It requires Assignor\n
+proxy role since it may be called by owner in draft state.\n
+"""\n
+\n
+state_change[\'object\'].getParentValue().assignRoleToSecurityGroup()\n
 </string> </value>
         </item>
         <item>
@@ -87,6 +92,14 @@
             <key> <string>_params</string> </key>
             <value> <string>state_change</string> </value>
         </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Assignor</string>
+              </tuple>
+            </value>
+        </item>
         <item>
             <key> <string>errors</string> </key>
             <value>