From a167d7135b569002225ce8082820aaab18e8b123 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
Date: Thu, 26 Apr 2007 16:57:18 +0000
Subject: [PATCH] Use sci['object'] instead of sci.object to workaround
 security problems with proxy roles in workflow scripts.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14248 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 .../preference_workflow/scripts/disableOtherPreferences.xml  | 5 +++--
 .../scripts/Predicate_updateMatrix.xml                       | 3 ++-
 .../rule_interaction_workflow/scripts/Rule_updateMatrix.xml  | 5 +++--
 product/ERP5/bootstrap/erp5_core/bt/revision                 | 2 +-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/preference_workflow/scripts/disableOtherPreferences.xml b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/preference_workflow/scripts/disableOtherPreferences.xml
index cc7efdf780..e1acd3302e 100644
--- a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/preference_workflow/scripts/disableOtherPreferences.xml
+++ b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/preference_workflow/scripts/disableOtherPreferences.xml
@@ -70,7 +70,7 @@
             <key> <string>_body</string> </key>
             <value> <string>from Products.ERP5Type.Message import Message\n
 \n
-pref = sci.object\n
+pref = sci[\'object\']\n
 portal = sci.getPortal()\n
 LOG = lambda msg: pref.log("PreferenceWorkflow.disableOtherPreferences on %s"%pref, msg)\n
 N_ = lambda msg, **kw: Message(\'erp5_ui\', msg, **kw)\n
@@ -141,8 +141,9 @@ for p in portal.portal_preferences.searchFolder(spec=(\'ERP5 Preference\',)) :\n
                             <string>sci</string>
                             <string>Products.ERP5Type.Message</string>
                             <string>Message</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>pref</string>
+                            <string>_getattr_</string>
                             <string>portal</string>
                             <string>LOG</string>
                             <string>N_</string>
diff --git a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Predicate_updateMatrix.xml b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Predicate_updateMatrix.xml
index ac39f43b62..d8df167b68 100644
--- a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Predicate_updateMatrix.xml
+++ b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Predicate_updateMatrix.xml
@@ -68,7 +68,7 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>rule = state_change.object.getParentValue()\n
+            <value> <string>rule = state_change[\'object\'].getParentValue()\n
 \n
 if rule.getPortalType() in (\'Invoice Transaction Rule\', \'Payment Rule\') :\n
   rule.activate(\n
@@ -119,6 +119,7 @@ if rule.getPortalType() in (\'Invoice Transaction Rule\', \'Payment Rule\') :\n
                           <tuple>
                             <string>state_change</string>
                             <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>rule</string>
                           </tuple>
                         </value>
diff --git a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Rule_updateMatrix.xml b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Rule_updateMatrix.xml
index 6c68e52de1..32f38c1138 100644
--- a/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Rule_updateMatrix.xml
+++ b/product/ERP5/bootstrap/erp5_core/WorkflowTemplateItem/portal_workflow/rule_interaction_workflow/scripts/Rule_updateMatrix.xml
@@ -68,7 +68,7 @@
         </item>
         <item>
             <key> <string>_body</string> </key>
-            <value> <string>matrix = state_change.object\n
+            <value> <string>matrix = state_change[\'object\']\n
 matrix.activate(\n
     after_path_and_method_id=([matrix.getPath(),],\n
         [\'immediateReindexObject\', \'recursiveImmediateReindexObject\'])\n
@@ -116,8 +116,9 @@ matrix.activate(\n
                         <value>
                           <tuple>
                             <string>state_change</string>
-                            <string>_getattr_</string>
+                            <string>_getitem_</string>
                             <string>matrix</string>
+                            <string>_getattr_</string>
                           </tuple>
                         </value>
                     </item>
diff --git a/product/ERP5/bootstrap/erp5_core/bt/revision b/product/ERP5/bootstrap/erp5_core/bt/revision
index e0da8ae09a..c0d6976f6b 100644
--- a/product/ERP5/bootstrap/erp5_core/bt/revision
+++ b/product/ERP5/bootstrap/erp5_core/bt/revision
@@ -1 +1 @@
-309
\ No newline at end of file
+314
\ No newline at end of file
-- 
2.30.9