Commit e2967202 authored by Georgios Dagkakis's avatar Georgios Dagkakis

erp5_base: Add coordinate_interaction_workflow and add it all Coordinate types

In its generic form it would declare as reachable an unreachable coordinate
when the coordinate_text changes
parent 5504703a
<workflow_chain> <workflow_chain>
<chain> <chain>
<type>Address</type> <type>Address</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>Agent</type> <type>Agent</type>
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
</chain> </chain>
<chain> <chain>
<type>Chat Address</type> <type>Chat Address</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>Credit Card</type> <type>Credit Card</type>
...@@ -45,7 +45,7 @@ ...@@ -45,7 +45,7 @@
</chain> </chain>
<chain> <chain>
<type>Email</type> <type>Email</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>Embedded File</type> <type>Embedded File</type>
...@@ -57,11 +57,11 @@ ...@@ -57,11 +57,11 @@
</chain> </chain>
<chain> <chain>
<type>External Identifier</type> <type>External Identifier</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>Fax</type> <type>Fax</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>File</type> <type>File</type>
...@@ -81,7 +81,7 @@ ...@@ -81,7 +81,7 @@
</chain> </chain>
<chain> <chain>
<type>Link</type> <type>Link</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
<chain> <chain>
<type>Notification Message</type> <type>Notification Message</type>
...@@ -113,6 +113,6 @@ ...@@ -113,6 +113,6 @@
</chain> </chain>
<chain> <chain>
<type>Telephone</type> <type>Telephone</type>
<workflow>edit_workflow, reachability_workflow</workflow> <workflow>coordinate_interaction_workflow, edit_workflow, reachability_workflow</workflow>
</chain> </chain>
</workflow_chain> </workflow_chain>
\ No newline at end of file
from Products.ERP5Type.Message import translateString
if context.getValidationState() == 'unreachable':
context.declareReachable(comment=translateString("Assumed reachable after coordinate changed"))
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>Coordinate_beforeCoordinateTextChange</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="InteractionWorkflowDefinition" module="Products.ERP5.InteractionWorkflow"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_objects</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>creation_guard</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>groups</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>coordinate_interaction_workflow</string> </value>
</item>
<item>
<key> <string>manager_bypass</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string>Coordinate Interaction Workflow</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Interaction" module="Products.ERP5.Interaction"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_mapping</string> </key>
<value>
<dictionary/>
</value>
</item>
<item>
<key> <string>_objects</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>interactions</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="InteractionDefinition" module="Products.ERP5.Interaction"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>actbox_category</string> </key>
<value> <string>workflow</string> </value>
</item>
<item>
<key> <string>actbox_name</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>actbox_url</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>activate_script_name</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>after_script_name</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>before_commit_script_name</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>guard</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>beforeCoordinateTextChange</string> </value>
</item>
<item>
<key> <string>method_id</string> </key>
<value>
<list>
<string>_setCoordinateText</string>
<string>_setStreetAddress</string>
<string>_setZipCode</string>
<string>_setCity</string>
<string>_setRegion.*</string>
<string>_setTelephoneCountry</string>
<string>_setTelephoneArea</string>
<string>_setTelephoneCity</string>
<string>_setTelephoneExtension</string>
<string>_setTelephoneNumber</string>
<string>_setUrlString</string>
</list>
</value>
</item>
<item>
<key> <string>once_per_transaction</string> </key>
<value> <int>1</int> </value>
</item>
<item>
<key> <string>portal_type_filter</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>portal_type_group_filter</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>script_name</string> </key>
<value>
<list>
<string>beforeCoordinateTextChange</string>
</list>
</value>
</item>
<item>
<key> <string>temporary_document_disallowed</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
<item>
<key> <string>trigger_type</string> </key>
<value> <int>2</int> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Scripts" module="Products.DCWorkflow.Scripts"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_mapping</string> </key>
<value>
<dictionary/>
</value>
</item>
<item>
<key> <string>_objects</string> </key>
<value>
<tuple/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>scripts</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
state_change['object'].Coordinate_beforeCoordinateTextChange()
  • @georgios.dagkakis do you remember why this is implemented with one workflow script calling another workflow script and not having all the implementation directly in the workflow script ?

    For context, the problem I have is that since this change it's no longer possible to edit a coordinate from a script with proxy role while the actual user does not have permission to edit the coordinate. For example, it's no longer possible to execute a script with proxy role like that one for anonymous user:

    context.getPortalObject().person_module.newContent(default_address_city='Lille')

    I think it's a bug so I want to change this script to have a proxy role, but I feel it would be better to have proxy role only in workflow script, so I am thinking about changing the implementation here to do everything in this interaction workflow script.

    Do you see something wrong with that ?

  • The reason we did it like this was to be able to override behaviour in projects.

    Now for the use case, should we really let anonymous do that? I suppose it is needed in some project, but I do not expect the default behaviour to have to need a proxy role. So wouldn't it be better to override Coordinate_beforeCoordinateTextChange with the proxy role you want?

  • Thanks, I was thinking that maybe this was a way to easily override this script, so if I change the default workflow to not be "two steps" like this it would break the customization, I will find another way.

    It's perfectly fine to have a script with proxy role creating documents sometimes, bascially the scripts does module.newContent(default_address_city='Lille') or person.default_address.setCity('Lille') and Zope security checks that the user is allowed to call the method and that should be enough. Not always, but it's usually a bug if an interaction on setSomething needs more permission than just being allowed to call setSomething

  • In theory shouldn't it be that security is aligned? I mean, if setSomething triggers an interaction then the interaction should be set up so that the same users who have permission to setSomething have the required permissions for whatever the interaction does. I know this is in a theoretical 'perfect' world...

  • yes, but that theorical perfect world does not really support the case where setSomething is called from an unrestricted context or from a context with proxy roles.

  • it's something not clear for me. Sometimes I feel that interactions should be unrestricted (because the security is checked in setSomething already) but sometimes it's good that interactions are done in restricted context, for example if an interaction is going to modify some related documents, then having security is safer. I don't know what the rule is here. Maybe if an interaction on context.setSomething also modifies context it can be done in an unrestricted context.

    I think I don't need to change this code after all, but to me this is a case of an interaction that would be just as good running in unrestricted python.

  • This has a point.. I mean, we typically say (as you did above) something like I feel it would be better to have proxy role only in workflow script. Because we believe that if the user could trigger the interaction, then he should be able to do all other stuff the interaction dictates, even if security configuration would not allow normally.

    But I feel this would open long discussions and the outcome would be like "it is security configuration that should be robust and we should not need means of elevating permissions" etc

  • yes, I don't think we need to open more endless discussions :)

    I just want to add that giving permissions to users is not always the best and means of elevating permissions are sometimes what makes the system more secure. The example that comes to my mind is a web site which uses invoices to customers. Each customer has an account on this web site, the customers can do some actions on the web site that would as a consequence modify their invoices or payments. In such a scenario we don't want users to have the permission to edit invoices or payments as they wish, but only through some very limited and controlled actions - and these actions typically perform some extra check and then use some privileges escalation technique (an alarm running as system user, a script proxy roles etc) and I don't think it's wrong.

    Thanks again for the feedback.

Please register or sign in to reply
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>Script_magic</string> </key>
<value> <int>3</int> </value>
</item>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>state_change</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>beforeCoordinateTextChange</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Variables" module="Products.DCWorkflow.Variables"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_mapping</string> </key>
<value>
<dictionary/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>variables</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Worklists" module="Products.DCWorkflow.Worklists"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_mapping</string> </key>
<value>
<dictionary/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>worklists</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
Address | coordinate_interaction_workflow
Address | edit_workflow Address | edit_workflow
Address | reachability_workflow Address | reachability_workflow
Agent | edit_workflow Agent | edit_workflow
...@@ -7,6 +8,7 @@ Bank Account | edit_workflow ...@@ -7,6 +8,7 @@ Bank Account | edit_workflow
Bank Account | validation_workflow Bank Account | validation_workflow
Career | career_workflow Career | career_workflow
Career | edit_workflow Career | edit_workflow
Chat Address | coordinate_interaction_workflow
Chat Address | edit_workflow Chat Address | edit_workflow
Chat Address | reachability_workflow Chat Address | reachability_workflow
Credit Card | edit_workflow Credit Card | edit_workflow
...@@ -21,6 +23,7 @@ Delivery Type | base_type_interaction_workflow ...@@ -21,6 +23,7 @@ Delivery Type | base_type_interaction_workflow
Delivery Type | dynamic_class_generation_interaction_workflow Delivery Type | dynamic_class_generation_interaction_workflow
ERP5 Login | edit_workflow ERP5 Login | edit_workflow
ERP5 Login | login_validation_workflow ERP5 Login | login_validation_workflow
Email | coordinate_interaction_workflow
Email | edit_workflow Email | edit_workflow
Email | reachability_workflow Email | reachability_workflow
Embedded File | document_conversion_interaction_workflow Embedded File | document_conversion_interaction_workflow
...@@ -28,8 +31,10 @@ Embedded File | edit_workflow ...@@ -28,8 +31,10 @@ Embedded File | edit_workflow
Embedded File | embedded_workflow Embedded File | embedded_workflow
Embedded Folder | edit_workflow Embedded Folder | edit_workflow
Embedded Folder | embedded_workflow Embedded Folder | embedded_workflow
External Identifier | coordinate_interaction_workflow
External Identifier | edit_workflow External Identifier | edit_workflow
External Identifier | reachability_workflow External Identifier | reachability_workflow
Fax | coordinate_interaction_workflow
Fax | edit_workflow Fax | edit_workflow
Fax | reachability_workflow Fax | reachability_workflow
File | document_conversion_interaction_workflow File | document_conversion_interaction_workflow
...@@ -40,6 +45,7 @@ Geographical Location | edit_workflow ...@@ -40,6 +45,7 @@ Geographical Location | edit_workflow
Image | document_conversion_interaction_workflow Image | document_conversion_interaction_workflow
Image | document_security_interaction_workflow Image | document_security_interaction_workflow
Image | edit_workflow Image | edit_workflow
Link | coordinate_interaction_workflow
Link | edit_workflow Link | edit_workflow
Link | reachability_workflow Link | reachability_workflow
Notification Message | document_conversion_interaction_workflow Notification Message | document_conversion_interaction_workflow
...@@ -58,5 +64,6 @@ Role Definition | edit_workflow ...@@ -58,5 +64,6 @@ Role Definition | edit_workflow
Role Definition | local_permission_interaction_workflow Role Definition | local_permission_interaction_workflow
Rounding Model | validation_workflow Rounding Model | validation_workflow
Simulation Movement | simulation_movement_causality_interaction_workflow Simulation Movement | simulation_movement_causality_interaction_workflow
Telephone | coordinate_interaction_workflow
Telephone | edit_workflow Telephone | edit_workflow
Telephone | reachability_workflow Telephone | reachability_workflow
\ No newline at end of file
assignment_workflow assignment_workflow
career_workflow career_workflow
coordinate_interaction_workflow
currency_exchange_line_interaction_workflow currency_exchange_line_interaction_workflow
delivery_causality_interaction_workflow delivery_causality_interaction_workflow
delivery_causality_workflow delivery_causality_workflow
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment