Role Definition: disallow giving arbitrary role using setRoleName directly

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@29538 20353a03-c40f-0410-a6d1-a30d3c3de9de

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_getRoleNameItemList.xml

@@ -54,13 +54,10 @@
         <item>
             <key> <string>_body</string> </key>
             <value> <string>from Products.ERP5Type.Message import translateString\n
-item_list = [(\'\', \'\')]\n
 \n
-for role in context.valid_roles():\n
-  if role not in (\'Owner\', \'Manager\', \'Assignor\',):\n
-    item_list.append((translateString(role), role))\n
-\n
-return item_list\n
+return [(translateString(role), role)\n
+        for role in context.valid_roles()\n
+        if role not in (\'Owner\', \'Manager\')]\n
 </string> </value>
         </item>
         <item>
@@ -99,7 +96,8 @@ return item_list\n
                           <tuple>
                             <string>Products.ERP5Type.Message</string>
                             <string>translateString</string>
-                            <string>item_list</string>
+                            <string>append</string>
+                            <string>$append0</string>
                             <string>_getiter_</string>
                             <string>_getattr_</string>
                             <string>context</string>

bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/RoleDefinition_viewFieldLibrary/my_role_name.xml

@@ -13,9 +13,9 @@
             <key> <string>delegated_list</string> </key>
             <value>
               <list>
-                <string>title</string>
                 <string>description</string>
                 <string>items</string>
+                <string>title</string>
               </list>
             </value>
         </item>
@@ -133,7 +133,7 @@
       <dictionary>
         <item>
             <key> <string>_text</string> </key>
-            <value> <string>here/RoleDefinition_getRoleNameItemList</string> </value>
+            <value> <string>python: [(\'\',\'\')] + here.RoleDefinition_getRoleNameItemList()</string> </value>
         </item>
       </dictionary>
     </pickle>

bt5/erp5_base/bt/revision

-637
\ No newline at end of file
+638
\ No newline at end of file

product/ERP5/Document/RoleDefinition.py

@@ -25,7 +25,7 @@
 #
 ##############################################################################
 
-from AccessControl import ClassSecurityInfo
+from AccessControl import ClassSecurityInfo, Unauthorized
 from Products.CMFCore.utils import getToolByName
 from Products.ERP5Type import Permissions, PropertySheet, Constraint, interfaces
 from Products.ERP5Type.XMLObject import XMLObject
@@ -49,3 +49,9 @@ class RoleDefinition(XMLObject):
                       , PropertySheet.DublinCore
                       , PropertySheet.RoleDefinition
                       )
+
+    def _setRoleName(self, value):
+      if value and value not in \
+         zip(*self.RoleDefinition_getRoleNameItemList())[1]:
+        raise Unauthorized("You are not allowed to give %s role" % value)
+      self._baseSetRoleName(value)

product/ERP5/tests/testERP5Web.py

@@ -1043,6 +1043,8 @@ class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase):
                           site.get_local_roles_for_userid(person_reference))
     self.assertSameSet(('Associate',),
                           section.get_local_roles_for_userid(person_reference))
+    self.assertRaises(Unauthorized, site_role_definition.edit,
+                      role_name='Manager')
 
     # delete Role Definition and check again (local roles must be gone too)
     site.manage_delObjects(site_role_definition.getId())