Permalink
Browse files

Security permissions of working copy workflow don't get applied on ch…

…ecking out content

http://dev.plone.org/ticket/12780
  • Loading branch information...
1 parent 4ac7cc7 commit 14c0e9810fe92b9719a75e6527ca5ae25628951e Anthony Gerrard committed Mar 13, 2012
View
@@ -8,6 +8,10 @@ Changelog
because there are other implementations (such as the one for Dexterity)
that don't use Archetypes references.
[davisagli]
+
+- Security permissions of working copy workflow don't get applied on checking
+ out content http://dev.plone.org/ticket/12780
+ [anthonygerrard]
2.1.4 (2011-11-24)
@@ -21,6 +21,15 @@
provides="Products.GenericSetup.interfaces.EXTENSION"
/>
+ <genericsetup:registerProfile
+ name="test"
+ title="plone.app.iterate: Test fixture"
+ directory="profiles/test"
+ description="Extension profile to configure a test fixture"
+ for="Products.CMFPlone.interfaces.ITestCasePloneSiteRoot"
+ provides="Products.GenericSetup.interfaces.EXTENSION"
+ />
+
<genericsetup:upgradeStep
source="*"
destination="121"
@@ -0,0 +1,6 @@
+<metadata>
+ <version>1</version>
+ <dependencies>
+ <dependency>profile-Products.CMFPlacefulWorkflow:base</dependency>
+ </dependencies>
+</metadata>
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<object name="portal_placeful_workflow" meta_type="Placeful Workflow Tool">
+ <property name="title"></property>
+ <property name="max_chain_length" type="int">1</property>
+ <object name="working-copy" meta_type="WorkflowPolicy" />
+</object>
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<object name="working-copy" meta_type="WorkflowPolicy">
+ <property name="title">Working Copy</property>
+ <bindings>
+ <default>
+ <bound-workflow workflow_id="workingcopy_workflow" />
+ </default>
+ <type default_chain="true" type_id="Document" />
+ </bindings>
+</object>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<object name="portal_workflow" meta_type="Plone Workflow Tool">
+ <object name="workingcopy_workflow" meta_type="Workflow" />
+</object>
@@ -0,0 +1,170 @@
+<?xml version="1.0"?>
+<dc-workflow xmlns:i18n="http://xml.zope.org/namespaces/i18n" i18n:domain="plone" workflow_id="workingcopy_workflow"
+ title="test wc workflow" state_variable="review_state" initial_state="draft-copy" i18n:attributes="title">
+
+ <!-- These are the permissions being managed -->
+ <permission>Delete objects</permission>
+ <permission>iterate : Check in content</permission>
+ <permission>iterate : Check out content</permission>
+ <permission>View</permission>
+ <permission>Access contents information</permission>
+ <permission>Change portal events</permission>
+ <permission>Modify portal content</permission>
+ <permission>Copy or Move</permission>
+
+ <!-- The various workflow states, with their permission maps -->
+ <state state_id="draft-copy" title="Draft (copy)" i18n:attributes="title">
+ <description i18n:translate="">New version created but not ready for publication</description>
+ <exit-transition transition_id="submit-copy-for-publication" />
+ <permission-map name="Access contents information" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="Change portal events" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="Modify portal content" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="View" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="iterate : Check in content" acquired="False" />
+ <permission-map name="iterate : Check out content" acquired="False" />
+ <permission-map name="Copy or Move" acquired="False" />
+ <permission-map name="Delete objects" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ </state>
+
+ <state state_id="pending-copy" title="Pending (copy)" i18n:attributes="title">
+ <description i18n:translate="">Copy submitted for publication - pending approval</description>
+ <exit-transition transition_id="withdraw-submitted-copy" />
+ <exit-transition transition_id="reject-submitted-copy" />
+ <permission-map name="Access contents information" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="Change portal events" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="Modify portal content" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="View" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="iterate : Check in content" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ <permission-map name="iterate : Check out content" acquired="False" />
+ <permission-map name="Copy or Move" acquired="False" />
+ <permission-map name="Delete objects" acquired="False">
+ <permission-role>Editor</permission-role>
+ <permission-role>Site Administrator</permission-role>
+ <permission-role>Contributor</permission-role>
+ <permission-role>Manager</permission-role>
+ </permission-map>
+ </state>
+
+ <!-- Transitions between states, including guard conditions -->
+ <transition transition_id="submit-copy-for-publication" new_state="pending-copy" title="Submit draft content for publication" trigger="USER"
+ before_script="" after_script="" i18n:attributes="title">
+ <description i18n:translate="">
+ Move the content to the pending state where it will be reviewed by an editor by publication.
+ </description>
+ <action url="%(content_url)s/content_status_modify?workflow_action=submit-copy-for-publication" category="workflow"
+ i18n:translate="">Submit</action>
+ <guard>
+ <guard-permission>Modify portal content</guard-permission>
+ </guard>
+ </transition>
+ <transition transition_id="reject-submitted-copy" new_state="draft-copy" title="Editor rejects submitted content"
+ trigger="USER" before_script="" after_script="" i18n:attributes="title">
+ <description i18n:translate="">
+ Revert to draft.
+ </description>
+ <guard>
+ <guard-permission>Review portal content</guard-permission>
+ </guard>
+ </transition>
+ <transition transition_id="withdraw-submitted-copy" new_state="draft-copy" title="Contributor withdraws submitted content"
+ trigger="USER" before_script="" after_script="" i18n:attributes="title">
+ <description i18n:translate="">
+ Revert to draft.
+ </description>
+ <guard>
+ <guard-role>Contributor</guard-role>
+ </guard>
+ </transition>
+
+ <!-- Workflow variables, managed as part of workflow history -->
+ <variable variable_id="action" for_catalog="False" for_status="True" update_always="True">
+ <description>The last transition</description>
+ <default>
+ <expression>transition/getId|nothing</expression>
+ </default>
+ <guard>
+ </guard>
+ </variable>
+ <variable variable_id="actor" for_catalog="False" for_status="True" update_always="True">
+ <description>The ID of the user who performed the last transition</description>
+ <default>
+ <expression>user/getId</expression>
+ </default>
+ <guard>
+ </guard>
+ </variable>
+ <variable variable_id="comments" for_catalog="False" for_status="True" update_always="True">
+ <description>Comments about the last transition</description>
+ <default>
+ <expression>python:state_change.kwargs.get('comment', '')</expression>
+ </default>
+ <guard>
+ </guard>
+ </variable>
+ <variable variable_id="review_history" for_catalog="False" for_status="False" update_always="False">
+ <description>Provides access to workflow history</description>
+ <default>
+ <expression>state_change/getHistory</expression>
+ </default>
+ <guard>
+ <guard-permission>Request review</guard-permission>
+ <guard-permission>Review portal content</guard-permission>
+ </guard>
+ </variable>
+ <variable variable_id="time" for_catalog="False" for_status="True" update_always="True">
+ <description>Time of the last transition</description>
+ <default>
+ <expression>state_change/getDateTime</expression>
+ </default>
+ <guard>
+ </guard>
+ </variable>
+
+</dc-workflow>
@@ -57,6 +57,8 @@ def handleCheckout( event ):
# we setattr because we want the effect on non containerish objects
setattr( event.working_copy, WorkflowPolicyConfig_id, policy )
+ event.working_copy.notifyWorkflowCreated()
+ event.working_copy.reindexObjectSecurity()
def handleCheckin( event ):
policy = getattr( aq_base(event.object), WorkflowPolicyConfig_id, None )
@@ -2,8 +2,12 @@
Setup
-----
+ >>> from Testing import ZopeTestCase as ztc
+ >>> ztc.installProduct('Products.CMFPlacefulWorkflow')
>>> result = self.portal.portal_setup.runAllImportStepsFromProfile(
... 'profile-plone.app.iterate:plone.app.iterate')
+ >>> result = self.portal.portal_setup.runAllImportStepsFromProfile(
+ ... 'profile-plone.app.iterate:test')
>>> from Products.Five.testbrowser import Browser
>>> from Testing.ZopeTestCase import user_password
@@ -204,3 +208,58 @@ the condition for the "Cancel check-out" action on these items
>>> if 'front-page' in portal:
... portal.manage_delObjects(['front-page'])
>>> browser.open(portal.absolute_url())
+
+Working copy workflows
+----------------------
+
+It's possible to assign a different workflow to working copies in combination with
+Products.CMFPlacefulWorkflow. This usually makes sense: you should be checking in a working copy
+rather than publishing it.
+
+We have a working copy workflow defined in our textfixture profile. To enable you need to set a
+couple of site properties.
+
+ >>> browser.addHeader('Authorization',
+ ... 'Basic %s:%s' % ('portal_owner', user_password))
+ >>> browser.open("http://nohost/plone/portal_properties/site_properties/manage_propertiesForm")
+ >>> browser.getControl(name="enable_checkout_workflow:boolean").value = [True]
+ >>> browser.getControl(name="checkout_workflow_policy:string").value = 'working-copy'
+ >>> browser.getControl(name="manage_editProperties:method").click()
+
+Create a new page to test workflows with
+
+ >>> browser.open(self.portal.absolute_url())
+ >>> browser.getLink('Add new').click()
+ >>> 'Add new item' in browser.contents
+ True
+ >>> browser.getControl('Page').click()
+ >>> browser.getControl('Add').click()
+ >>> browser.getControl('Title').value = 'My workflow test'
+ >>> browser.getControl('Body Text').value = 'My workflow test'
+ >>> browser.getControl('Save').click()
+ >>> 'Changes saved.' in browser.contents
+ True
+ >>> workflow_test_url = browser.url
+
+Checkout
+
+ >>> browser = Browser()
+ >>> browser.addHeader('Authorization', 'Basic editor:secret')
+ >>> browser.open(workflow_test_url)
+ >>> browser.getLink(id='iterate_checkout').click()
+ >>> browser.contents
+ '...This is a working copy of...My workflow test..., made by...editor... on...'
+ >>> browser.contents
+ '...state-draft-copy...'
+
+Check security permisions on workflow have been applied. We remove copy or move permissions in our
+workflow so this should not appear in the action menu.
+http://code.google.com/p/dexterity/issues/detail?id=258
+
+ >>> browser.getLink(id='copy')
+ Traceback (most recent call last):
+ ...
+ LinkNotFoundError
+ >>> browser.getLink(id='delete')
+ <Link text='Delete' ...>
+

0 comments on commit 14c0e98

Please sign in to comment.