fix strange security of career_workflow:

* Assignee can pass workflow transition, but cannot see the document in draft. Fix that by giving View to Assignee in draft.
* Assignee / Assignor cannot view a cancelled career, but only them use cancel transition. Fix that by giving View to Assignee / Assignor in cancelled state.
* Give view to Auditor in both cancelled and draft.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@34662 20353a03-c40f-0410-a6d1-a30d3c3de9de

bt5/erp5_base/WorkflowTemplateItem/portal_workflow/career_workflow/states/cancelled.xml

@@ -45,23 +45,22 @@
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
       <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
+        <global name="PersistentMapping" module="Persistence.mapping"/>
+        <tuple/>
       </tuple>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
                     <key> <string>Access contents information</string> </key>
                     <value>
                       <tuple>
+                        <string>Assignee</string>
+                        <string>Assignor</string>
                         <string>Auditor</string>
                         <string>Manager</string>
                         <string>Owner</string>
@@ -80,6 +79,8 @@
                     <key> <string>View</string> </key>
                     <value>
                       <tuple>
+                        <string>Assignee</string>
+                        <string>Assignor</string>
                         <string>Auditor</string>
                         <string>Manager</string>
                         <string>Owner</string>

bt5/erp5_base/WorkflowTemplateItem/portal_workflow/career_workflow/states/draft.xml

@@ -50,24 +50,23 @@
   <record id="2" aka="AAAAAAAAAAI=">
     <pickle>
       <tuple>
-        <tuple>
-          <string>Persistence</string>
-          <string>PersistentMapping</string>
-        </tuple>
-        <none/>
+        <global name="PersistentMapping" module="Persistence.mapping"/>
+        <tuple/>
       </tuple>
     </pickle>
     <pickle>
       <dictionary>
         <item>
-            <key> <string>_container</string> </key>
+            <key> <string>data</string> </key>
             <value>
               <dictionary>
                 <item>
                     <key> <string>Access contents information</string> </key>
                     <value>
                       <tuple>
+                        <string>Assignee</string>
                         <string>Assignor</string>
+                        <string>Auditor</string>
                         <string>Manager</string>
                         <string>Owner</string>
                       </tuple>
@@ -77,6 +76,7 @@
                     <key> <string>Modify portal content</string> </key>
                     <value>
                       <tuple>
+                        <string>Assignee</string>
                         <string>Assignor</string>
                         <string>Manager</string>
                         <string>Owner</string>
@@ -87,7 +87,9 @@
                     <key> <string>View</string> </key>
                     <value>
                       <tuple>
+                        <string>Assignee</string>
                         <string>Assignor</string>
+                        <string>Auditor</string>
                         <string>Manager</string>
                         <string>Owner</string>
                       </tuple>

bt5/erp5_base/bt/revision

-715
+716
\ No newline at end of file