I have a custom workflow which, as usual, assigns some permissions to some roles depending on the state. This is working fine and is already live for +5 years.
Now I just want to add a new role on a permission on those states.
If I import the workflow anew and I create a new content type that has this permission bound it works like a charm, the users with the right role have that permission on that new object.
The problem is on the existing objects.
I tried to reindexObject() and also reindexObjectSecurity(), but did not do the trick... on a debug prompt I changed the workflow state of that object and voilà, that did the trick.
Now though, I'm left with a feeling of this is magic that I don't really like
Is that supposed to be the way to trigger the new roles to be taken into account? I see that there is this updateRoleMappingsFor method, is that the right one?
So generally speaking: if one changes the roles on permissions assigned to a transition state in a workflow, the steps to apply those changes on existing objects are?
Hi,
We use a slighly modified version of updateRoleMappings for bulk batched and targeted updates, so does all the correct magic. We use it often in upgrade steps.
from Acquisition import aq_base
from Acquisition import aq_inner
from plone import api
def update_role_mappings(context):
wtool = api.portal.get_tool(name='portal_workflow')
# copied from WorkflowTool.updateRoleMappings()
# to enable context passing to wftool._recursiveUpdateRoleMappings()
wfs = {}
for id in wtool.objectIds():
wf = wtool.getWorkflowById(id)
if hasattr(aq_base(wf), 'updateRoleMappingsFor'):
wfs[id] = wf
context = aq_inner(context)
wtool._recursiveUpdateRoleMappings(context, wfs)
