diff --git a/product/ERP5Type/Utils.py b/product/ERP5Type/Utils.py index b2e2d1f854bce8e0a83ed9f6a36ecf9cfe46a67f..a053dc99cadcdd693b3062d5e96dda1df5437dee 100755 --- a/product/ERP5Type/Utils.py +++ b/product/ERP5Type/Utils.py @@ -579,20 +579,18 @@ def importLocalDocument(class_id, document_path = None): document_constructor = DocumentConstructor(document_class) document_constructor_name = "add%s" % class_id document_constructor.__name__ = document_constructor_name - default_permission = ('Manager',) setattr(Products.ERP5Type.Document, class_id, document_module) setattr(Products.ERP5Type.Document, document_constructor_name, document_constructor) setDefaultClassProperties(document_class) - pr=PermissionRole(document_class.add_permission, default_permission) - #document_constructor.__roles__ = pr # There used to be security breach which was fixed (None replaced by pr) - document_constructor.__roles__ = None # Anyone can add XXX + from AccessControl import ModuleSecurityInfo + ModuleSecurityInfo('Products.ERP5Type.Document').declareProtected(Permissions.AddPortalContent, + document_constructor_name,) InitializeClass(document_class) f.close() # Temp documents are created as standard classes with a different constructor # which patches some methods are the instance level to prevent reindexing from Products.ERP5Type import product_path as erp5_product_path from Products.PythonScripts.Utility import allow_class - from AccessControl import ModuleSecurityInfo temp_document_constructor = TempDocumentConstructor(document_class) temp_document_constructor_name = "newTemp%s" % class_id temp_document_constructor.__name__ = temp_document_constructor_name @@ -631,6 +629,8 @@ def importLocalDocument(class_id, document_path = None): , document_constructor ) initial = constructors[0] m[initial.__name__]=manage_addContentForm + default_permission = ('Manager',) + pr=PermissionRole(document_class.add_permission, default_permission) m[initial.__name__+'__roles__']=pr for method in constructors[1:]: if type(method) is type((1,2)):