Commit eba8d3ae authored by Jérome Perrin's avatar Jérome Perrin

Merge !393 dms: do not grant permissions based on Owner role

My use case is that we have an ERP5 configuration where a PDF document is "implictly" created when user validate an invoice. Later this PDF becomes "secret" and we want to remove permissions on the PDF to all except a small  group of users.

Please also read commit message for more uses cases.

My idea is to change globally document publication workflow to remove permissions for Owner, because usually in workflow we don't have security for Owner, except in draft states.
For cases where the user who created the document must have certain permissions for the whole lifetime of the document, we can create a security rule where this user would be Associate.
Also, for the case of documents, maybe we would want to use *Contributors* fields instead of Owner, as it gives more flexibility.

In what I am suggesting, the permissions by state would change from:

![Screenshot_2017-09-15_at_16.12.53](/uploads/5b3664a2663deb893ea4f8fc9858a52f/Screenshot_2017-09-15_at_16.12.53.png)

to:

![Screenshot_2017-09-15_at_17.34.34](/uploads/95803dc89e1a2501c29872a6a5131c33/Screenshot_2017-09-15_at_17.34.34.png)

The full updated `document_publication_workflow` specification would be:

[P-ERP5.Workflow.Security.After.Removing.Owner.pdf](/uploads/02eac46ec436385d0d0577695803b3b5/P-ERP5.Workflow.Security.After.Removing.Owner.pdf)

But this is an incompatible change, because some users will loose access to some documents they use to have access.

/reviewed-on nexedi/erp5!393
parents b3e73249 1664e541
...@@ -41,18 +41,12 @@ ...@@ -41,18 +41,12 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<tuple>
<string>Persistence</string>
<string>PersistentMapping</string>
</tuple>
<none/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item> <item>
<key> <string>_container</string> </key> <key> <string>data</string> </key>
<value> <value>
<dictionary> <dictionary>
<item> <item>
...@@ -63,7 +57,6 @@ ...@@ -63,7 +57,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -101,7 +94,6 @@ ...@@ -101,7 +94,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -46,10 +46,7 @@ ...@@ -46,10 +46,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -64,7 +61,6 @@ ...@@ -64,7 +61,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -104,7 +100,6 @@ ...@@ -104,7 +100,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -44,18 +44,12 @@ ...@@ -44,18 +44,12 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<tuple>
<string>Persistence</string>
<string>PersistentMapping</string>
</tuple>
<none/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item> <item>
<key> <string>_container</string> </key> <key> <string>data</string> </key>
<value> <value>
<dictionary> <dictionary>
<item> <item>
...@@ -65,7 +59,6 @@ ...@@ -65,7 +59,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -100,7 +93,6 @@ ...@@ -100,7 +93,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -56,10 +56,7 @@ ...@@ -56,10 +56,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -74,7 +71,6 @@ ...@@ -74,7 +71,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -114,7 +110,6 @@ ...@@ -114,7 +110,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -48,18 +48,12 @@ ...@@ -48,18 +48,12 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<tuple>
<string>Persistence</string>
<string>PersistentMapping</string>
</tuple>
<none/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item> <item>
<key> <string>_container</string> </key> <key> <string>data</string> </key>
<value> <value>
<dictionary> <dictionary>
<item> <item>
...@@ -72,7 +66,6 @@ ...@@ -72,7 +66,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -112,7 +105,6 @@ ...@@ -112,7 +105,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -48,10 +48,7 @@ ...@@ -48,10 +48,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -69,7 +66,6 @@ ...@@ -69,7 +66,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -112,7 +108,6 @@ ...@@ -112,7 +108,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -50,18 +50,12 @@ ...@@ -50,18 +50,12 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<tuple>
<string>Persistence</string>
<string>PersistentMapping</string>
</tuple>
<none/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item> <item>
<key> <string>_container</string> </key> <key> <string>data</string> </key>
<value> <value>
<dictionary> <dictionary>
<item> <item>
...@@ -73,7 +67,6 @@ ...@@ -73,7 +67,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -112,7 +105,6 @@ ...@@ -112,7 +105,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -52,10 +52,7 @@ ...@@ -52,10 +52,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -72,7 +69,6 @@ ...@@ -72,7 +69,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -114,7 +110,6 @@ ...@@ -114,7 +110,6 @@
<string>Associate</string> <string>Associate</string>
<string>Auditor</string> <string>Auditor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -46,10 +46,7 @@ ...@@ -46,10 +46,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -64,7 +61,6 @@ ...@@ -64,7 +61,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -102,7 +98,6 @@ ...@@ -102,7 +98,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -50,10 +50,7 @@ ...@@ -50,10 +50,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -69,7 +66,6 @@ ...@@ -69,7 +66,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -107,7 +103,6 @@ ...@@ -107,7 +103,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -56,10 +56,7 @@ ...@@ -56,10 +56,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -75,7 +72,6 @@ ...@@ -75,7 +72,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -116,7 +112,6 @@ ...@@ -116,7 +112,6 @@
<string>Assignor</string> <string>Assignor</string>
<string>Associate</string> <string>Associate</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -44,10 +44,7 @@ ...@@ -44,10 +44,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -62,7 +59,6 @@ ...@@ -62,7 +59,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -102,7 +98,6 @@ ...@@ -102,7 +98,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
...@@ -48,10 +48,7 @@ ...@@ -48,10 +48,7 @@
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle> <pickle>
<tuple> <global name="PersistentMapping" module="Persistence.mapping"/>
<global name="PersistentMapping" module="Persistence.mapping"/>
<tuple/>
</tuple>
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
...@@ -66,7 +63,6 @@ ...@@ -66,7 +63,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
...@@ -104,7 +100,6 @@ ...@@ -104,7 +100,6 @@
<string>Assignee</string> <string>Assignee</string>
<string>Assignor</string> <string>Assignor</string>
<string>Manager</string> <string>Manager</string>
<string>Owner</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment