Fix security issue.

DO NOT YELL AT ME IT IS ROMAIN'S FIX.

Fix security issue.
DO NOT YELL AT ME IT IS ROMAIN'S FIX.
f138226d · Antoine Catton · bef9c56e · f138226d · f138226d · f138226d
Commit f138226d authored Dec 28, 2011 by Antoine Catton
5 changed files
--- a/master/bt5/vifib_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
+++ b/master/bt5/vifib_erp5/PortalTypeRolesTemplateItem/Slave%20Instance.xml
@@ -6,7 +6,7 @@
  </role>
  <role id='Assignee'>
   <property id='title'>Customer of the Instance</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateMovementItemByPerson</property>
+   <property id='base_category_script'>SoftwareType_getSecurityCategoryFromAggregateMovementItemByPerson</property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
  <role id='Assignee'>
@@ -17,7 +17,7 @@
  </role>
  <role id='Assignor'>
   <property id='title'>Slave Instance related by Hosting Subscription</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateMovementItemByHostingSubscription</property>
+   <property id='base_category_script'>SoftwareType_getSecurityCategoryFromAggregateMovementItemByHostingSubscription</property>
   <multi_property id='base_category'>aggregate</multi_property>
  </role>
  <role id='Assignor'>

--- a/master/bt5/vifib_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
+++ b/master/bt5/vifib_erp5/PortalTypeRolesTemplateItem/Software%20Instance.xml
@@ -6,7 +6,7 @@
  </role>
  <role id='Assignee'>
   <property id='title'>Customer of the Instance</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateMovementItemByPerson</property>
+   <property id='base_category_script'>SoftwareType_getSecurityCategoryFromAggregateMovementItemByPerson</property>
   <multi_property id='base_category'>destination_section</multi_property>
  </role>
  <role id='Assignee'>
@@ -17,7 +17,7 @@
  </role>
  <role id='Assignor'>
   <property id='title'>Software Instance related by Hosting Subscription</property>
-   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAggregateMovementItemByHostingSubscription</property>
+   <property id='base_category_script'>SoftwareType_getSecurityCategoryFromAggregateMovementItemByHostingSubscription</property>
   <multi_property id='base_category'>aggregate</multi_property>
  </role>
 </type_roles>
\ No newline at end of file
--- a/master/bt5/vifib_erp5/SkinTemplateItem/portal_skins/vifib_core/SoftwareType_getSecurityCategoryFromAggregateMovementItemByHostingSubscription.xml
+++ b/master/bt5/vifib_erp5/SkinTemplateItem/portal_skins/vifib_core/SoftwareType_getSecurityCategoryFromAggregateMovementItemByHostingSubscription.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string># XXX For now, this script requires proxy manager\n
+\n
+# base_category_list : list of category values we need to retrieve\n
+# user_name : string obtained from getSecurityManager().getUser().getUserName() [NuxUserGroup]\n
+#             or from getSecurityManager().getUser().getId() [PluggableAuthService with ERP5GroupManager]\n
+# object : object which we want to assign roles to.\n
+# portal_type : portal type of object\n
+\n
+# must always return a list of dicts\n
+\n
+category_list = []\n
+\n
+if obj is None:\n
+  return []\n
+\n
+item_portal_type = "Hosting Subscription"\n
+movement_portal_type = "Sale Order Line"\n
+\n
+portal = obj.getPortalObject()\n
+\n
+movement = portal.portal_catalog.getResultValue(\n
+  portal_type=movement_portal_type,\n
+  strict_aggregate_uid=obj.getUid(),\n
+  simulation_state=(\'confirmed\', \'ordered\'),\n
+)\n
+\n
+if movement is not None:\n
+  item = movement.getAggregateValue(portal_type=item_portal_type)\n
+  if item is not None:\n
+    category_list.append({"aggregate": [item.getRelativeUrl()]})\n
+\n
+return category_list\n
+</string> </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>SoftwareType_getSecurityCategoryFromAggregateMovementItemByHostingSubscription</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/vifib_erp5/SkinTemplateItem/portal_skins/vifib_core/SoftwareType_getSecurityCategoryFromAggregateMovementItemByPerson.xml
+++ b/master/bt5/vifib_erp5/SkinTemplateItem/portal_skins/vifib_core/SoftwareType_getSecurityCategoryFromAggregateMovementItemByPerson.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string encoding="cdata"><![CDATA[
+# XXX For now, this script requires proxy manager\n
+\n
+# base_category_list : list of category values we need to retrieve\n
+# user_name : string obtained from getSecurityManager().getUser().getUserName() [NuxUserGroup]\n
+#             or from getSecurityManager().getUser().getId() [PluggableAuthService with ERP5GroupManager]\n
+# object : object which we want to assign roles to.\n
+# portal_type : portal type of object\n
+\n
+# must always return a list of dicts\n
+\n
+category_list = []\n
+\n
+if obj is None:\n
+  return []\n
+\n
+movement_portal_type = "Sale Order Line"\n
+\n
+portal = obj.getPortalObject()\n
+\n
+security_dict = {}\n
+\n
+parent_url_list = []\n
+for movement in portal.portal_catalog(\n
+  portal_type=movement_portal_type,\n
+  strict_aggregate_uid=obj.getUid(),\n
+  simulation_state=(\'ordered\', \'confirmed\'),\n
+  ):\n
+  item = movement.getDestinationSectionValue(portal_type="Person")\n
+  if item is not None:\n
+    parent_url_list.append(item.getRelativeUrl())\n
+\n
+if len(parent_url_list) > 0:\n
+  parent_url_list.sort()\n
+  category_list.append({"destination_section": parent_url_list})\n
+return category_list\n
+]]></string> </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>SoftwareType_getSecurityCategoryFromAggregateMovementItemByPerson</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/vifib_erp5/bt/revision
+++ b/master/bt5/vifib_erp5/bt/revision
-326
+327
\ No newline at end of file