Ticket #13046 (closed Bug: fixed)

Opened 22 months ago

Last modified 18 months ago

Use of workflow internals in new byline code bypasses guards on workflow variables

Reported by: alecm Owned by: piv
Priority: major Milestone: 4.3
Component: General Version: 4.3
Keywords: Cc: piv, esteele

Description (last modified by alecm) (diff)

This is related to the changes from PLIP #8699 and issue #13045. The use of workflow internals is potentially problematic, since workflow variables (including the last transition time) can have explicit guards set. It should be possible to use "wf_tool.getInfoFor(ob, 'time', default=None)" to get the necessary data while respecting any explicitly set guards on the requested variable. The default Plone workflows set no such guards and that method is public, so allowing those security checks to be made should pose no problems.

See the related review:

 https://github.com/plone/buildout.coredev/blob/4.3/plips/reviews/plip8699-review-alecm.txt

Change History

comment:1 Changed 22 months ago by kleist

  • Status changed from new to confirmed

comment:2 Changed 22 months ago by alecm

  • Cc piv, esteele added

comment:3 Changed 22 months ago by alecm

  • Description modified (diff)

comment:4 Changed 18 months ago by piv

  • Status changed from confirmed to closed
  • Resolution set to fixed

I picked easier option: always display effective date if it is set, regardless of object state:  https://github.com/plone/plone.app.layout/commit/e1d458735db77949650a42c578ffe1305e6fdafe

comment:5 Changed 18 months ago by piv

  • Status changed from closed to reopened
  • Resolution fixed deleted

comment:6 Changed 18 months ago by piv

  • Status changed from reopened to confirmed

comment:7 Changed 18 months ago by piv

  • Owner set to piv
  • Status changed from confirmed to assigned

comment:8 Changed 18 months ago by piv

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.