Commit 574b660d authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_erp5: Update security on tickets from the Project related to the...

slapos_erp5: Update security on tickets from the Project related to the computer or Hosting Subscription
parent 91ae216b
......@@ -19,4 +19,22 @@
<multi_property id='category'>role/member</multi_property>
<multi_property id='base_category'>role</multi_property>
</role>
<role id='Auditor'>
<property id='title'>Organisation Member (Computer)</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateComputerDestinationSection</property>
<multi_property id='categories'>local_role_group/organisation</multi_property>
<multi_property id='base_category'>destination_section</multi_property>
</role>
<role id='Auditor'>
<property id='title'>Organisation Member (HS)</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestination</property>
<multi_property id='categories'>local_role_group/organisation</multi_property>
<multi_property id='base_category'>destination</multi_property>
</role>
<role id='Auditor'>
<property id='title'>Project Member</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementAggregateDestinationProject</property>
<multi_property id='categories'>local_role_group/project</multi_property>
<multi_property id='base_category'>destination_project</multi_property>
</role>
</type_roles>
\ No newline at end of file
......@@ -5,6 +5,24 @@
<multi_property id='category'>group/company</multi_property>
<multi_property id='base_category'>group</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Organisation Member (Computer)</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateComputerDestinationSection</property>
<multi_property id='categories'>local_role_group/organisation</multi_property>
<multi_property id='base_category'>destination_section</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Organisation Member (HS)</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestination</property>
<multi_property id='categories'>local_role_group/organisation</multi_property>
<multi_property id='base_category'>destination</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Project Member</property>
<property id='base_category_script'>Item_getSecurityCategoryFromMovementLineAggregateDestinationProject</property>
<multi_property id='categories'>local_role_group/project</multi_property>
<multi_property id='base_category'>destination_project</multi_property>
</role>
<role id='Assignee'>
<property id='title'>User</property>
<property id='description'>Monovalued role</property>
......
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
aggregate_value = obj.getAggregateValue()
if aggregate_value is None:
return []
# Only proceed if aggregate is a Computer
if aggregate_value.getPortalType() != "Computer":
return []
# Object on this case can be Hosting Subscription, Computer, or Computer Network
organisation = aggregate_value.Item_getCurrentOwnerValue()
if organisation is not None and \
organisation.getPortalType() == "Organisation":
category_list.append({'destination_section': [organisation.getRelativeUrl()]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Item_getSecurityCategoryFromMovementAggregateComputerDestinationSection</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
aggregate_value = obj.getAggregateValue()
if aggregate_value is None:
return []
# Limit the scope arround Hosting subscription otherwise we
# Leak security on the Computers placed on the same site.
if aggregate_value.getPortalType() != "Hosting Subscription":
return []
organisation = aggregate_value.Item_getCurrentSiteValue()
if organisation is not None and \
organisation.getPortalType() == "Organisation":
category_list.append({'destination': [organisation.getRelativeUrl()]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Item_getSecurityCategoryFromMovementAggregateDestination</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
aggregate_value = None
for line in obj.objectValues():
aggregate_value = line.getAggregateValue()
if aggregate_value is not None:
break
if aggregate_value is None:
return []
# Only proceed if aggregate is a Computer
if aggregate_value.getPortalType() != "Computer":
return []
# Object on this case can be Hosting Subscription, Computer, or Computer Network
organisation = aggregate_value.Item_getCurrentOwnerValue()
if organisation is not None and \
organisation.getPortalType() == "Organisation":
category_list.append({'destination_section': [organisation.getRelativeUrl()]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Item_getSecurityCategoryFromMovementLineAggregateComputerDestinationSection</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
aggregate_value = None
for line in obj.objectValues():
aggregate_value = line.getAggregateValue()
if aggregate_value is not None:
break
if aggregate_value is None:
return []
# Limit the scope arround Hosting subscription otherwise we
# Leak security on the Computers placed on the same site.
if aggregate_value.getPortalType() != "Hosting Subscription":
return []
organisation = aggregate_value.Item_getCurrentSiteValue()
if organisation is not None and \
organisation.getPortalType() == "Organisation":
category_list.append({'destination': [organisation.getRelativeUrl()]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Item_getSecurityCategoryFromMovementLineAggregateDestination</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
aggregate_value = None
for line in obj.objectValues():
aggregate_value = line.getAggregateValue()
if aggregate_value is not None:
break
if aggregate_value is None:
return []
# Object on this case can be Hosting Subscription, Computer, or Computer Network
project = aggregate_value.Item_getCurrentProjectValue()
if project is not None:
category_list.append({'destination_project': [project.getRelativeUrl()]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>