Menu
▾
▴
[Openflow-dev] Re: Bug report for openflow 1.0.6
|
From: Daniele <d.t...@ic...> - 2003-04-18 09:41:03
|
Hello Soren, thanks the interface-bug-finding, bug-solving and feature-requesting you sent me in your e-mail. And congratulations for your in-depth knowledge in OpenFlow and Zope. About your feature requests: 1) in the applications I realize with OF adding properties is something I do to instances any time, not only upon their creation. Usually the roles I create for users do have the manage_properties permission to be able to create del and change properties. Nevertheless your proposal is definitely on-target: it's bothersome having to remember to add this permission to the users' role. What if I overload the manage_addProperty, manage_changeProperties and manage_delProperties methods leaving them unchanged but protected by "Use OpenFlow" permission (extending your feature request #2)? On the other hand I often use the process instance as a container for custom objects (instances of custom products) that I implement the way I most like, allowing them to use whatever method (protected in whatever way I prefer). This means that often properties are recorded on these objects rather than on the instance itself. This allows for a finer grained permission handling for you user roles. But this solving of the issue requires you to build your custom product, and this is bothersome anyway, for as simple you make it. 2) reply to feature 2 is included in the solution above, I guess. Thanks a lot for your effort in making OpenFlow more usable, Daniele =) PS: did you subscribe to the openflow-dev mailing list? It's at: http://lists.sourceforge.net/lists/listinfo/openflow-dev On Friday 18 April 2003 11:12, Soren Roug wrote: > Hello Daniele, > > I've been playing with you openflow engine, and I think I've found a bug in > it. > > What I did was, I create an number of regular users in /acl_user with roles > having the permission "Use OpenFlow". I created a simple workflow > application with some forms to fill out. > > What happens is that a regular user fills out a form, which calls > addInstance() and so on. This part works. > > The problem is that an account with "Manager" role can't see the History > (The index_html of the Instance class) The manager gets this error: > > Error Type: Undefined > Error Value: You are not allowed to access manage_page_header in this > context not found in 'here/manage_page_header', at line 1, column 1 > > But it works if the Manager looks at one of the other tabs - like the > manage_editProperties. > > The difference is that index_html for Instance is written in ZPT whereas > the other tabs are written in DTML. The problem is that the Instance object > is OWNED by a regular user, and Zope's access control will only let you run > scripts with max the privileges of that user. I have not given the "View > management screens" permission to the regular users - they don't need it, > and that makes Manager unable to see the History of an instance. > > But why does History have this problem, when Properties does similar things > and works, you might ask. It is because when a DTML script is loaded from a > DTMLFile() in a python product, it is considered "trusted" and access > restrictions don't apply. The same is not true for PageTemplateFile(). > There are two ways you can fix this bug: > > 1. Rewrite History.zpt in DTML. My absolute favorite > 2. Don't use manage_page_header for ZPT files > ----------------------- > The next part is not a bug report, but a feature request: > > I have code that does this: > > <dtml-let instance="workflow.addInstance('webmaster', > 'nocustomer', > 'comments are ignored', > 'Question for the webmaster', > activation=0)" instobj="_.getattr(workflow,instance)"> > <dtml-call "instobj.manage_addProperty('frommail', frommail, 'string')"> > <dtml-call "instobj.manage_addProperty('subject', subject, 'string')"> > <dtml-call "instobj.manage_addProperty('question', question, 'text')"> > <dtml-call "instobj.manage_addProperty('answer', '', 'text')"> > <dtml-call "workflow.startInstance(instance)"> > > The unfortunate side-effect is that the user must have the "Manage > properties" permission or the DTML method must have a Proxy-role with > heightened permissions. I would like you to consider to add an extra > optional argument to addInstance() that can take a list of properties to > add an instance. Something like: > > <dtml-call "workflow.addInstance('webmaster', > 'nocustomer', > 'comments are ignored', > 'Question for the webmaster', > activation=1, > properties=[ > ['frommail', frommail, 'string'], > ['subject', subject, 'string'], > ['question', question, 'text'], > ['answer', '', 'text'] > ])"> > > Either that, or some way to specify in the Process definition what > properties should be created automatically with what types, so we don't > have to bother with manage_addProperty, but can just pass the REQUEST > variable into addInstance - like we do when we create ZClass instances. > > The next feature request is to add one line to instance.py: > > security.declareProtected('Use OpenFlow', 'manage_changeProperties') > > Then regular users don't need the "Manage properties" permission. > > best regards, > > Soren Roug > European Environment Agency -- Daniele Tarini - Research & Development - Icube S.r.l. Address: Via Ridolfi 15 - 56124 Pisa (PI), Italy E-mail: d.t...@ic... Web: http://www.icube.it Phone: (+39) 050 97 02 07 Fax: (+39) 050 31 36 588 |
