Implemented basic security settings (6 policies)

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11041 20353a03-c40f-0410-a6d1-a30d3c3de9de

Implemented basic security settings (6 policies)
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11041 20353a03-c40f-0410-a6d1-a30d3c3de9de
6fa904ff · Bartek Górny · ada49245 · 6fa904ff · 6fa904ff · 6fa904ff
Commit 6fa904ff authored Nov 01, 2006 by Bartek Górny
14 changed files
--- a/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml
+++ b/bt5/erp5_dms/PortalTypeRolesTemplateItem/Text.xml
 <type_roles>
  <role id='Associate'>
-   <property id='title'>Project Assignees</property>
-   <property id='description'>Policy: personal/project
+   <property id='title'>Project Associates</property>
+   <property id='description'>Policy: */project
 Rule: all project members have a right to access document once it has been shared or released</property>
-   <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property>
+   <property id='condition'>python:object.Document_policyApplies('*/project')</property>
   <property id='priority'>10</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
   <multi_property id='category'></multi_property>
   <multi_property id='base_category'>source_project</multi_property>
  </role>
  <role id='Assignor'>
-   <property id='title'>P/P - Project Director</property>
-   <property id='description'>Policy: personal/project
+   <property id='title'>Project Director</property>
+   <property id='description'>Policy: */project
 Rule: project director is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property>
-   <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property>
+   <property id='condition'>python:object.Document_policyApplies('*/project')</property>
   <property id='priority'>10</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
-   <multi_property id='category'>function/project/director</multi_property>
+   <multi_property id='category'>function/knowledge/manager</multi_property>
   <multi_property id='base_category'>source_project</multi_property>
   <multi_property id='base_category'>function</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>P/P - Project Owner</property>
-   <property id='description'>Policy: personal/project
-Rule: the creator is Assignee - can edit the doc and share it with the team</property>
-   <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property>
+   <property id='title'>Owner</property>
+   <property id='description'>Policy: */*
+Rule: the creator is Assignee - can edit the doc and submit it</property>
   <property id='priority'>10</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromUser</property>
   <multi_property id='category'></multi_property>
   <multi_property id='base_category'>reference</multi_property>
  </role>
  <role id='Auditor'>
-   <property id='title'>P/P - Organisation members</property>
-   <property id='description'>Policy: personal/project
-Rule: all people working for the same organisation are Auditors (we identify the organisation by the first part of the "group" path)</property>
-   <property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/personal/project')</property>
+   <property id='title'>Organisation members</property>
+   <property id='description'>Policy: */*
+Rule: all people working for the same organisation are Auditors (we identify the organisation by the first part of the "group" path)
+This does not apply if it is a project document and does not have a project</property>
+   <property id='condition'>python: not object.Document_policyApplies('*/restricted') and (object.Document_policyApplies('*/project') or not object.Document_policyApplies('*/project',True) )</property>
   <property id='priority'>10</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property>
   <multi_property id='category'></multi_property>
   <multi_property id='base_category'>group</multi_property>
  </role>
+  <role id='Assignee'>
+   <property id='title'>Project Collaborators</property>
+   <property id='description'>Policy: collaborative/project
+Rule: all members of project team can edit the document before it is submitted, and can submit it</property>
+   <property id='condition'>python:object.Document_policyApplies('collaborative/project')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
+   <multi_property id='category'></multi_property>
+   <multi_property id='base_category'>source_project</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Team Director</property>
+   <property id='description'>Policy: */team
+Rule: team manager is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property>
+   <property id='condition'>python:object.Document_policyApplies('*/team')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
+   <multi_property id='category'>function/knowledge/manager</multi_property>
+   <multi_property id='base_category'>group</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
+  <role id='Associate'>
+   <property id='title'>Team Associates</property>
+   <property id='description'>Policy: */team
+Rule: all team members have a right to access document once it has been shared or released</property>
+   <property id='condition'>python:object.Document_policyApplies('*/team')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
+   <multi_property id='category'></multi_property>
+   <multi_property id='base_category'>group</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Team Collaborators</property>
+   <property id='description'>Policy: collaborative/team
+Rule: all members of the team can edit the document before it is submitted, and can submit it</property>
+   <property id='condition'>python:object.Document_policyApplies('collaborative/team')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
+   <multi_property id='category'></multi_property>
+   <multi_property id='base_category'>group</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Public Collaborators</property>
+   <property id='description'>Policy: collaborative/public
+Rule: everyone in the organisation (root group) can edit the doc before it is submitted, and can suggest its publication</property>
+   <property id='condition'>python:object.Document_policyApplies('collaborative/public')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property>
+   <multi_property id='category'></multi_property>
+   <multi_property id='base_category'>group</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Public Reviewer</property>
+   <property id='description'>Policy: collaborative/public
+Rule: any person with knowledge/manager role can publish the document and manage access rights to it</property>
+   <property id='condition'>python:object.Document_policyApplies('collaborative/public')</property>
+   <property id='priority'>10</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
+   <multi_property id='category'>function/knowledge/manager</multi_property>
+   <multi_property id='base_category'>function</multi_property>
+  </role>
 </type_roles>
\ No newline at end of file
--- a/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml
+++ b/bt5/erp5_dms/SkinTemplateItem/portal_skins/erp5_dms/Document_policyApplies.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <tuple>
+        <tuple>
+          <string>Products.PythonScripts.PythonScript</string>
+          <string>PythonScript</string>
+        </tuple>
+        <none/>
+      </tuple>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Python_magic</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>__ac_local_roles__</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string>klass=context.getClassification()\n
+if klass is None:return False\n
+kl=klass.split(\'/\')\n
+\n
+if len(kl)==1:\n
+  # personal = personal/restricted\n
+  if kl[0]==\'personal\':kl.append(\'restricted\')\n
+  # collaborative = collaborative/team\n
+  if kl[0]==\'collaborative\':kl.append(\'team\')\n
+\n
+# personal/restricted is unconditional\n
+if kl==[\'personal,restricted\']:\n
+  return policy==\'personal/restricted\'\n
+\n
+pol=policy.split(\'/\')\n
+\n
+\n
+if not membershiponly:\n
+  # project policies do not apply if we don\'t have source_project\n
+  if pol[1]==\'project\':\n
+    if context.getSourceProject()==None:\n
+      return False\n
+\n
+# if all conditions are met, check if the policy is ok (wildcards are ok)\n
+return (pol[0] in (\'*\',kl[0])) and (pol[1] in (\'*\',kl[1]))\n
+</string> </value>
+        </item>
+        <item>
+            <key> <string>_code</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_filepath</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_owner</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>policy,membershiponly=False</string> </value>
+        </item>
+        <item>
+            <key> <string>errors</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_code</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="FuncCode" module="Shared.DC.Scripts.Signature"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>co_argcount</string> </key>
+                        <value> <int>2</int> </value>
+                    </item>
+                    <item>
+                        <key> <string>co_varnames</string> </key>
+                        <value>
+                          <tuple>
+                            <string>policy</string>
+                            <string>membershiponly</string>
+                            <string>_getattr_</string>
+                            <string>context</string>
+                            <string>klass</string>
+                            <string>None</string>
+                            <string>False</string>
+                            <string>kl</string>
+                            <string>len</string>
+                            <string>_getitem_</string>
+                            <string>pol</string>
+                          </tuple>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>func_defaults</string> </key>
+            <value>
+              <tuple>
+                <int>0</int>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Document_policyApplies</string> </value>
+        </item>
+        <item>
+            <key> <string>warnings</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/archived.xml
@@ -74,7 +74,6 @@
                        <string>Assignee</string>
                        <string>Assignor</string>
                        <string>Associate</string>
-                        <string>Auditor</string>
                        <string>Manager</string>
                        <string>Owner</string>
                      </tuple>
@@ -113,7 +112,6 @@
                        <string>Assignee</string>
                        <string>Assignor</string>
                        <string>Associate</string>
-                        <string>Auditor</string>
                        <string>Manager</string>
                        <string>Owner</string>
                      </tuple>

--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/draft.xml
@@ -42,8 +42,6 @@
              <tuple>
                <string>cancel</string>
                <string>cancel_action</string>
-                <string>share</string>
-                <string>share_action</string>
                <string>submit</string>
                <string>submit_action</string>
              </tuple>

--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/shared.xml
@@ -48,10 +48,6 @@
              <tuple>
                <string>archive</string>
                <string>archive_action</string>
-                <string>retract</string>
-                <string>retract_action</string>
-                <string>submit</string>
-                <string>submit_action</string>
              </tuple>
            </value>
        </item>

--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/states/submitted.xml
@@ -48,6 +48,8 @@
                <string>reject_action</string>
                <string>release</string>
                <string>release_action</string>
+                <string>share</string>
+                <string>share_action</string>
              </tuple>
            </value>
        </item>

--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <tuple>
-        <tuple>
-          <string>Products.DCWorkflow.Transitions</string>
-          <string>TransitionDefinition</string>
-        </tuple>
-        <none/>
-      </tuple>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>__ac_local_roles__</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>_owner</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>actbox_category</string> </key>
-            <value> <string>workflow</string> </value>
-        </item>
-        <item>
-            <key> <string>actbox_name</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>actbox_url</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>after_script_name</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>description</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>guard</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>retract</string> </value>
-        </item>
-        <item>
-            <key> <string>new_state_id</string> </key>
-            <value> <string>draft</string> </value>
-        </item>
-        <item>
-            <key> <string>script_name</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>trigger_type</string> </key>
-            <value> <int>2</int> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/retract_action.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <tuple>
-        <tuple>
-          <string>Products.DCWorkflow.Transitions</string>
-          <string>TransitionDefinition</string>
-        </tuple>
-        <none/>
-      </tuple>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>__ac_local_roles__</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>_owner</string> </key>
-            <value>
-              <none/>
-            </value>
-        </item>
-        <item>
-            <key> <string>actbox_category</string> </key>
-            <value> <string>workflow</string> </value>
-        </item>
-        <item>
-            <key> <string>actbox_name</string> </key>
-            <value> <string>Retract</string> </value>
-        </item>
-        <item>
-            <key> <string>actbox_url</string> </key>
-            <value> <string>%(content_url)s/BaseWorkflow_viewWorkflowActionDialog?workflow_action=retract_action</string> </value>
-        </item>
-        <item>
-            <key> <string>after_script_name</string> </key>
-            <value> <string>retract</string> </value>
-        </item>
-        <item>
-            <key> <string>description</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>guard</string> </key>
-            <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
-            </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>retract_action</string> </value>
-        </item>
-        <item>
-            <key> <string>new_state_id</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>script_name</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-        <item>
-            <key> <string>trigger_type</string> </key>
-            <value> <int>1</int> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-  <record id="2" aka="AAAAAAAAAAI=">
-    <pickle>
-      <tuple>
-        <tuple>
-          <string>Products.DCWorkflow.Guard</string>
-          <string>Guard</string>
-        </tuple>
-        <none/>
-      </tuple>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>roles</string> </key>
-            <value>
-              <tuple>
-                <string>Assignee</string>
-                <string>Owner</string>
-              </tuple>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/share_action.xml
@@ -95,8 +95,7 @@
            <key> <string>roles</string> </key>
            <value>
              <tuple>
-                <string>Assignee</string>
-                <string>Owner</string>
+                <string>Assignor</string>
              </tuple>
            </value>
        </item>
@@ -117,7 +116,7 @@
      <dictionary>
        <item>
            <key> <string>text</string> </key>
-            <value> <string>python:here.isMemberOf(\'classification/personal\')</string> </value>
+            <value> <string>python:here.Document_policyApplies(\'personal/*\')</string> </value>
        </item>
      </dictionary>
    </pickle>

--- a/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml
+++ b/bt5/erp5_dms/WorkflowTemplateItem/portal_workflow/document_publication_workflow/transitions/submit_action.xml
@@ -79,6 +79,12 @@
    </pickle>
    <pickle>
      <dictionary>
+        <item>
+            <key> <string>expr</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
        <item>
            <key> <string>roles</string> </key>
            <value>
@@ -91,4 +97,23 @@
      </dictionary>
    </pickle>
  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <tuple>
+        <tuple>
+          <string>Products.CMFCore.Expression</string>
+          <string>Expression</string>
+        </tuple>
+        <none/>
+      </tuple>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>text</string> </key>
+            <value> <string>python:not here.Document_policyApplies(\'*/restricted\')</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>
--- a/bt5/erp5_dms/bt/change_log
+++ b/bt5/erp5_dms/bt/change_log
+2006-11-01
+Implemented basic security settings (6 policies)
+
 2006-10-30
 Removed "collaborated", added "shared"
 Implemented "personal/project" security classification

--- a/bt5/erp5_dms/bt/dependency_list
+++ b/bt5/erp5_dms/bt/dependency_list
-erp5_project
\ No newline at end of file
--- a/bt5/erp5_dms/bt/revision
+++ b/bt5/erp5_dms/bt/revision
-290
\ No newline at end of file
+292
\ No newline at end of file
--- a/bt5/erp5_dms/bt/version
+++ b/bt5/erp5_dms/bt/version
-0.81
\ No newline at end of file
+0.82
\ No newline at end of file