Commit 8fbd45f5 authored by Julien Muchembled's avatar Julien Muchembled

Role Definition: disallow giving arbitrary role using setRoleName directly

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@29538 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent c5aa3860
......@@ -54,13 +54,10 @@
<item>
<key> <string>_body</string> </key>
<value> <string>from Products.ERP5Type.Message import translateString\n
item_list = [(\'\', \'\')]\n
\n
for role in context.valid_roles():\n
if role not in (\'Owner\', \'Manager\', \'Assignor\',):\n
item_list.append((translateString(role), role))\n
\n
return item_list\n
return [(translateString(role), role)\n
for role in context.valid_roles()\n
if role not in (\'Owner\', \'Manager\')]\n
</string> </value>
</item>
<item>
......@@ -99,7 +96,8 @@ return item_list\n
<tuple>
<string>Products.ERP5Type.Message</string>
<string>translateString</string>
<string>item_list</string>
<string>append</string>
<string>$append0</string>
<string>_getiter_</string>
<string>_getattr_</string>
<string>context</string>
......
......@@ -13,9 +13,9 @@
<key> <string>delegated_list</string> </key>
<value>
<list>
<string>title</string>
<string>description</string>
<string>items</string>
<string>title</string>
</list>
</value>
</item>
......@@ -133,7 +133,7 @@
<dictionary>
<item>
<key> <string>_text</string> </key>
<value> <string>here/RoleDefinition_getRoleNameItemList</string> </value>
<value> <string>python: [(\'\',\'\')] + here.RoleDefinition_getRoleNameItemList()</string> </value>
</item>
</dictionary>
</pickle>
......
637
\ No newline at end of file
638
\ No newline at end of file
......@@ -25,7 +25,7 @@
#
##############################################################################
from AccessControl import ClassSecurityInfo
from AccessControl import ClassSecurityInfo, Unauthorized
from Products.CMFCore.utils import getToolByName
from Products.ERP5Type import Permissions, PropertySheet, Constraint, interfaces
from Products.ERP5Type.XMLObject import XMLObject
......@@ -49,3 +49,9 @@ class RoleDefinition(XMLObject):
, PropertySheet.DublinCore
, PropertySheet.RoleDefinition
)
def _setRoleName(self, value):
if value and value not in \
zip(*self.RoleDefinition_getRoleNameItemList())[1]:
raise Unauthorized("You are not allowed to give %s role" % value)
self._baseSetRoleName(value)
......@@ -1043,6 +1043,8 @@ class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase):
site.get_local_roles_for_userid(person_reference))
self.assertSameSet(('Associate',),
section.get_local_roles_for_userid(person_reference))
self.assertRaises(Unauthorized, site_role_definition.edit,
role_name='Manager')
# delete Role Definition and check again (local roles must be gone too)
site.manage_delObjects(site_role_definition.getId())
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment