1. 15 Sep, 2017 1 commit
    • Jérome Perrin's avatar
      dms: do not grant permissions based on Owner role · e14b1ba0
      Jérome Perrin authored
       .. except from Draft and Submitted state.
      
      Document security should be based on group, site, function defined on
      document, sometimes publication section and or follow up, but the owner
      should only be considered in draft state.
      
      For conveniance (and compatibility), Owner is also allowed to view in
      Submitted state. The use case is for when a user submit a document he
      will not be allowed to see, for example because he made a mistake when
      choosing properties, user is still allowed to view the document and
      there's no unauthorized error.
      
      We want to allow a user to set properties before publishing a document
      and later, once the document is no longer draft, the security of the
      document will be depending on these properties.
      
      We want to prevent users to get permissions on a PDF document that would
      be created by interactions and they are not supposed to see. For exemple
      when we generate a PDF invoice and store it in document module. In this
      case, as the interaction runs as the user, this user will have Owner
      role implicitely.
      
      (cherry picked from commit 1664e541)
      e14b1ba0
  2. 14 Sep, 2017 1 commit
    • Jérome Perrin's avatar
      core: respect "View History" permission in ZODB History · b3513b16
      Jérome Perrin authored
      This action should only be possible if user have View History
      permission.
      
      erp5_data_protection relies on removing the "View History" permission to
      make sure users cannot see the properties before protection in the
      history tab. This was supported by Base_viewHistory, but not by ZODB
      History
      
      (cherry picked from commit d2c08463)
      b3513b16
  3. 12 Sep, 2017 1 commit
  4. 02 Jun, 2017 8 commits
  5. 11 May, 2017 3 commits
  6. 09 May, 2017 1 commit
  7. 02 May, 2017 25 commits