Plone DCWorklfow Script context.manage_setLocalRoles

tdkuehnel · November 8, 2022, 8:15pm

Dear Plone community.

We are developing an Intranet solution based on Plone 5.2 for a mid-size organisation which ist hierachically organised.

As the organisation is structured hierachically, every department in the organisation can publish documents in its own department only, or down to a specific level.

We try to solve the requirement with setting local roles during a workflow transition. This is because there are about 500 departments in the organisation and we want to avoid bloating up the workflow definition with transitions and states for every needed role to group assignment that is needed.

We have a restricted python script which is called after the transition, and which unfortunately raises an unauthorizied exception with is caused by the script. The script has the following statements:

state_change.object.manage_setLocalRoles('GRUPPE_A1_B2', ('Reader',))
state_change.object.reindexObjectSecurity()

We have set the manager and site-admin proxy-role on the script, but it still gives a permission error when executing the script after the transition.

Setting the local role manually does give the required permissons needed to the groups. We just want to connect this step to a workflow transition.

Any help appreciated, thank you very much.

yurj · November 9, 2022, 8:01am

define a browserview that does the local roles setting & reindex and call it from the script (or directly).

Did you try to change the local roles with a python script (create one in portal_skin/custom) to check if the problem is not related to workflow context?

tiberiuichim · November 9, 2022, 8:20am

I think yurj is suggesting something like:

state_change.object.restrictedTraverse('@@myview').reindexMyStuff()

tdkuehnel · November 9, 2022, 11:18am

Thank you for the advice.

What does "reindex" mean ? Which steps do i need to make changes in the local role settings permanent and available in all places of memory plone/zope uses the local role settings in ?

Does it mean reindex the portal catalog ?

yurj · November 9, 2022, 11:23am

I mean this step, maybe It need to stay in the browser view too.

tdkuehnel · November 9, 2022, 11:26am

Ah, that we have in our script. object.reindexObjectSecurity()

We have got it working. But what made it working is now unknown ... something we have changed apparently ... investigating further.

tdkuehnel · November 9, 2022, 11:29am

This is the tip we needed.

We have to clear the acquireLocalRoles-setting on newly created documents, too, and tried do this with a transition-script, too, but didn't work. Calling a view from the script is the general solution for this kind of problems, i think.

Thank you very much !

tdkuehnel · November 13, 2022, 12:42pm

Unluckily,

state_change.object.restrictedTraverse('@@myview')

does not call the view when used in the transition-change script . The view works, when i call it with @@myview on the url of the object in the browser. Any ideas ?

tdkuehnel · November 13, 2022, 2:22pm

We are able to call the view from the script. With simple print-statements in it, it works.

When doing things like

objekt.manage_setLocalRoles(gruppenname, ('Reader',))`

in the script, we get a traceback with:

aborting transaction due to no CSRF protection on url http:....

tdkuehnel · November 13, 2022, 2:28pm

How do i call a browserview directly in a workflow transition ?

1letter · November 13, 2022, 3:35pm

normally i call a view in this way:

portal.restrictedTraverse("@@your-view")

tdkuehnel · November 13, 2022, 3:43pm

We need the object to set the local roles on, so the view would miss this if called on the portal.

1letter · November 13, 2022, 3:47pm

I think obj.restrictedTraverse("@@your-view") should also work.

tiberiuichim · November 13, 2022, 5:45pm

You can implement a method in your view which can receive an argument, an object.

The restrictedTraverse method will not automatically call your view, only instantiate it. It will not call its __call__.

tdkuehnel · November 13, 2022, 5:51pm

Inside the transition script i called the view on the object, like so:

state_change.object.restrictedTraverse('@@haken_setzen')

so i have the object available as self.context in the view.

So how do i "call" the call function of the view, or my own defined function ?

yurj · November 13, 2022, 6:04pm

portal.restrictedTraverse('@@haken_setzen').mymethod(state_change.object)?

tdkuehnel · November 14, 2022, 5:01am

In the transition script the second of the following statements raises an unauthorized exception:

from plone import api
portal = api.portal.get()

although the scripts manager proxy role is set. In which kind of script do you use the suggested restrictedTraverse statement ?

yurj · November 14, 2022, 1:39pm

try

state_change.object.restrictedTraverse('@@haken_setzen').mymethod(state_change.object)

Maybe you cannot use plone.api directly in python scripts.

tdkuehnel · March 23, 2023, 9:45pm

I get an 'insufficient privileges' site back with no stacktrace/exception showing in the 'instance fg' terminal output when trying your suggested statement in a Python-script connected to the state-transition.

In which version of Plone did you successful execute your suggestion ?

Sorry for the delay, we managed to solve the issue otherwise, but now it arises again.

petschki · March 30, 2023, 7:10am

To get tracebacks on Unauthorized exception, you have to remove it from the "Ignored exception types" in the @@error-log-form controlpanel (Site Setup -> Security -> Errors)