will be down from Thursday, 20 March 2025, 07:30:00 UTC for a duration of approximately 2 hours

Commit ad2af71e authored by Arnaud Fontaine's avatar Arnaud Fontaine

ZODB Components: Ensure that Permissions on Developer can be updated later (through Filesystem).

In 5d9c30e, Permissions were set in ComponentTool __init__ and it could not be
modified later on because it is set directly in the ZODB. Moreover,
Permissions could be modified after execution by modifying attributes.
parent 8dd602a1
......@@ -62,32 +62,34 @@ class ComponentTool(BaseTool):
security = ClassSecurityInfo()
def __init__(self, *args, **kwargs):
def _applyAllStaticSecurity(cls):
Except 'Access *', 'View*' and 'WebDAV' permissions (Acquired) and 'Reset
dynamic classes' (Manager, required to reset Components), everything
requires Developer Role.
Another solution would be to load it from XML as it was previously done,
but from a security point of view, it's better to forbid everything and
allows only some.
XXX-arnau: Really all 'Access *' and 'View*'? nothing else?
Apply static security on portal_components to ensure that nobody can
change Permissions, only 'ghost' Developer Role has Permissions to
add/modify/delete Components. Also, make these permissions read-only
thanks to 'property'.
cls is erp5.portal_type.Component Tool and not this class as this function
is called on Portal Type class when loading Componet Tool Portal Type
obj = BaseTool.__init__(self, *args, **kwargs)
for permission_tuple in self.ac_inherited_permissions(1):
name = permission_tuple[0]
value = permission_tuple[1]
if name == 'Reset dynamic classes':
p = Permission(name, value, self)
elif not (name.startswith('Access ') or
name.startswith('View') or
p = Permission(name, value, self)
return obj
# XXX-Cosmetic: From Zope >= 2.13, getPermissions() can be used instead of
# protected _registeredPermissions module attribute
from AccessControl.Permission import _registeredPermissions, pname
for permission_name in _registeredPermissions:
if permission_name == 'Reset dynamic classes':
permission_function = lambda self: ('Manager',)
elif permission_name in ('Change permissions', 'Define permissions'):
permission_function = lambda self: ()
elif not (permission_name.startswith('Access ') or
permission_name.startswith('View') or
permission_function = lambda self: ('Developer',)
setattr(cls, pname(permission_name), property(permission_function))
def _isBootstrapRequired(self):
......@@ -193,9 +193,17 @@ class PortalTypeMetaClass(GhostBaseMetaClass, PropertyHolder):
def setupSecurity(cls):
apply_security_function = getattr(cls, '_applyAllStaticSecurity', None)
if apply_security_function:
# note that after this call the 'security' attribute will be gone.
for subclass in PortalTypeMetaClass.getSubclassList(cls):
apply_security_function = getattr(cls, '_applyAllStaticSecurity', None)
if apply_security_function:
def restoreGhostState(cls):
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment