diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py index bf17f9ee6f343cbd2b88036286544fe24ba112c3..e768f4a06e17c4cddc7f0f99239a3f95599adecd 100644 --- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py +++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py @@ -1,7 +1,12 @@ +from AccessControl import getSecurityManager +from zExceptions import Unauthorized from Products.ERP5Type.Document import newTempBase portal = context.getPortalObject() result = [] +if not getSecurityManager().getUser().has_permission('View History', context): + raise Unauthorized() + def beautifyChange(change_dict): return ["%s:%s" % (k,change_dict[k]) for k in sorted(change_dict.keys())] diff --git a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml index 7b2fefd9596ae04cbc30a45ebc33e544dbb7ed80..4b2f4bb5a412e7211e23b28334db2b4e4318085d 100644 --- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml +++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml @@ -164,7 +164,9 @@ </item> <item> <key> <string>enabled</string> </key> - <value> <string></string> </value> + <value> + <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent> + </value> </item> <item> <key> <string>external_validator</string> </key> @@ -178,6 +180,10 @@ <key> <string>hidden</string> </key> <value> <string></string> </value> </item> + <item> + <key> <string>input_type</string> </key> + <value> <string></string> </value> + </item> <item> <key> <string>link_type</string> </key> <value> <string></string> </value> @@ -312,4 +318,17 @@ </dictionary> </pickle> </record> + <record id="3" aka="AAAAAAAAAAM="> + <pickle> + <global name="TALESMethod" module="Products.Formulator.TALESField"/> + </pickle> + <pickle> + <dictionary> + <item> + <key> <string>_text</string> </key> + <value> <string>python: modules[\'AccessControl\'].getSecurityManager().getUser().has_permission(\'View History\', context)</string> </value> + </item> + </dictionary> + </pickle> + </record> </ZopeData> diff --git a/product/ERP5/tests/testZODBHistory.py b/product/ERP5/tests/testZODBHistory.py index 0a27c6812c9c79f6a4eda2da6217747878bcfac0..30f4c1a1629ce850749a66de4ff7af3d8b1fa6bc 100644 --- a/product/ERP5/tests/testZODBHistory.py +++ b/product/ERP5/tests/testZODBHistory.py @@ -122,6 +122,29 @@ class TestZODBHistory(ERP5TypeTestCase): # should be: create(1) + edit(60) = 61 self.assertEqual(len(history_list), 61) + def test_testZODBHistorySecurity(self): + """ + Make sure ZODB History is not available when user does not have "View History" permission. + """ + self.loginByUserName('tatuya') + document = self.addOrganisation('document') + + # by default, users have a link to view ZODB history in history tab + self.assertIn( + 'your_zodb_history', + [field.getId() for field in document.Base_viewHistory.get_fields()]) + + # when user does not have "View History" permission, the link is not displayed + document.manage_permission('View History', [], 0) + self.assertNotIn( + 'your_zodb_history', + [field.getId() for field in document.Base_viewHistory.get_fields()]) + + # accessing the form directly is not allowed either + from zExceptions import Unauthorized + self.assertRaises(Unauthorized, document.Base_viewZODBHistory) + + def test_suite(): suite = unittest.TestSuite() suite.addTest(unittest.makeSuite(TestZODBHistory))