1. 05 Dec, 2014 2 commits
    • Julien Muchembled's avatar
      Update testIdToolUpgrade due to recent change in IdTool compatibility code · 1b062408
      Julien Muchembled authored
      testIdToolUpgrade failed since commit a463bc45
      1b062408
    • Sebastien Robin's avatar
      ERP5Form : solve security issues with dymanic dialog Folder_viewSearchDialog · 235c29f3
      Sebastien Robin authored
      With a non manager user, the dialog was raising an UnauthorizedError
      when accessing form properties like id or update_action.
      
      With verbose security we had :
      Unauthorized: Your user account does not have the required permission.
      Access to 'update_action' of (ERP5Form at /erp5/person_module/Folder_viewSearchDialog)
      denied. Your user account, [some account], exists at /erp5/acl_users. Access requires
      one of the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor', 'Author',
      'Manager']. Your roles in this context are ['Authenticated', 'Member'].
      
      By looking further, this regression started with the introduction of erp5_hal_json_style
      bt which install ERP5 Form portal type with "Acquire Local Roles" unchecked.
      
      By looking also at aquisition chains of usual Form :
      
      (Pdb) self.person_module.PersonModule_viewPersonList.aq_chain
      [<ERP5 Form at /erp5/PersonModule_viewPersonList used for /erp5/person_module>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>]
      
      And at the one of Folder_viewSearchDialog:
      
      (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain
      [<ERP5Form at /erp5/person_module/Folder_viewSearchDialog>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f05f0751850>]
      
      It seems fixing the acquisition chain is better option than allowing to Acquire Local
      Roles on all forms. We now have following chain for this dialog:
      
      After this patch, we have :
      (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain
      [<ERP5Form at /erp5/Folder_viewSearchDialog used for /erp5/person_module>,
       <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >,
       <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>]
      235c29f3
  2. 04 Dec, 2014 1 commit
  3. 03 Dec, 2014 4 commits
  4. 02 Dec, 2014 4 commits
  5. 01 Dec, 2014 5 commits
  6. 28 Nov, 2014 1 commit
  7. 27 Nov, 2014 3 commits
  8. 26 Nov, 2014 4 commits
  9. 25 Nov, 2014 2 commits
  10. 24 Nov, 2014 11 commits
  11. 21 Nov, 2014 3 commits