How the property rules are managed
Table of Contents
Displaying properties from other objects within the same form is a desirable feature. For example displaying the phone numbers or addresses of a person.
Currently, the way to do this in ERP5 is either to use a ListBox or to use acquired properties.
The Listbox approach is fine for many cases.
The acquired property approach consists in defining a property of the object which is acquired from its subobject. Then, we only need to display the property as if it was a
standard property. This approach is fine as long as we want to consider security as a whole block at the level of the parent object.
However, for finer grained security, what is really needed is the posisbility for every form field to provide an additional property which allows to select which object should
be taken into account for edit / display etc.
Jerome: Today, if you want to call setDefaultAddressText on a person, you need 'Modify portal content' on the person (or whatever write permission you set on
default_text_properties) *AND* 'Add portal content', when there is no 'default_address' content yet, you get Unauthorized from Products.CMFCore.TypesTool, line 338, in
constructInstance. It seems inconsistent to me.
For the records, this can be worked around like that:
1 from zExceptions import Unauthorized
2 from AccessControl.SecurityManagement import getSecurityManager
3 from AccessControl.SecurityManagement import newSecurityManager
4 from AccessControl.SecurityManagement import setSecurityManager
5 from AccessControl.User import UnrestrictedUser
7 def Invoice_setPaymentDate(self,
8 payment_date, REQUEST=None):
9 if REQUEST is not None:
10 raise Unauthorized('Cannot be called through the web')
12 old_sm = getSecurityManager()
14 newSecurityManager(None, UnrestrictedUser(