Security mapping not updated on reindexObjectSecurity?

Hi all,

I have a custom workflow which, as usual, assigns some permissions to some roles depending on the state. This is working fine and is already live for +5 years.

Now I just want to add a new role on a permission on those states.

If I import the workflow anew and I create a new content type that has this permission bound it works like a charm, the users with the right role have that permission on that new object.

The problem is on the existing objects.

I tried to reindexObject() and also reindexObjectSecurity(), but did not do the trick... on a debug prompt I changed the workflow state of that object and voilà, that did the trick.

Now though, I'm left with a feeling of this is magic that I don't really like :confused:

Is that supposed to be the way to trigger the new roles to be taken into account? I see that there is this updateRoleMappingsFor method, is that the right one?

So generally speaking: if one changes the roles on permissions assigned to a transition state in a workflow, the steps to apply those changes on existing objects are?

That seems to be what the workflow tool does for updating security settings after workflow changes + reindexObjectSecurity.

We use a slighly modified version of updateRoleMappings for bulk batched and targeted updates, so does all the correct magic. We use it often in upgrade steps.

from Acquisition import aq_base
from Acquisition import aq_inner
from plone import api

def update_role_mappings(context):
    wtool = api.portal.get_tool(name='portal_workflow')
    # copied from WorkflowTool.updateRoleMappings()
    # to enable context passing to wftool._recursiveUpdateRoleMappings()
    wfs = {}
    for id in wtool.objectIds():
        wf = wtool.getWorkflowById(id)
        if hasattr(aq_base(wf), 'updateRoleMappingsFor'):
            wfs[id] = wf
    context = aq_inner(context)
    wtool._recursiveUpdateRoleMappings(context, wfs)
1 Like

I recall having similar. It's useful also when configuring new placeful workflows on old large sites.