Item14430: add config to enable ACL overwriting. This feature has to …

…be regarded as experimental, as it badly breaks existing workflows
foswiki · Jul 10, 2017 · 430f93f · 430f93f
1 parent a0d1171
commit 430f93f
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 35 deletions.
diff --git a/lib/Foswiki/Plugins/WorkflowPlugin.pm b/lib/Foswiki/Plugins/WorkflowPlugin.pm
@@ -903,42 +903,47 @@ sub afterSaveHandler {
     my $workflow = $controlledTopic->{workflow};
     my $state    = $controlledTopic->getState();
 
-    # set/unset edit rights
-    my $allowEdit = $workflow->{states}->{$state}->{allowedit};
-    $allowEdit = $controlledTopic->expandMacros($allowEdit);
-
-    if ($allowEdit) {
-        $controlledTopic->{meta}->putKeyed(
-            'PREFERENCE',
-            {
-                name  => 'ALLOWTOPICCHANGE',
-                title => 'ALLOWTOPICCHANGE',
-                value => $allowEdit,
-                type  => 'Set'
-            }
-        );
-    }
-    else {
-        $controlledTopic->{meta}->remove( 'PREFERENCE', 'ALLOWTOPICCHANGE' );
-    }
-
-    # set/unset view rights
-    my $allowView = $workflow->{states}->{$state}->{allowview} || '';
-    $allowView = $controlledTopic->expandMacros($allowView);
+    # Item14430 - make ACL overwriting optional
+    if ( $Foswiki::cfg{Plugins}{WorkflowPlugin}{UpdateFoswikiACLs} ) {
+
+        # set/unset edit rights
+        my $allowEdit = $workflow->{states}->{$state}->{allowedit};
+        $allowEdit = $controlledTopic->expandMacros($allowEdit);
+
+        if ($allowEdit) {
+            $controlledTopic->{meta}->putKeyed(
+                'PREFERENCE',
+                {
+                    name  => 'ALLOWTOPICCHANGE',
+                    title => 'ALLOWTOPICCHANGE',
+                    value => $allowEdit,
+                    type  => 'Set'
+                }
+            );
+        }
+        else {
+            $controlledTopic->{meta}
+              ->remove( 'PREFERENCE', 'ALLOWTOPICCHANGE' );
+        }
 
-    if ($allowView) {
-        $controlledTopic->{meta}->putKeyed(
-            'PREFERENCE',
-            {
-                name  => 'ALLOWTOPICVIEW',
-                title => 'ALLOWTOPICVIEW',
-                value => $allowView,
-                type  => 'Set'
-            }
-        );
-    }
-    else {
-        $controlledTopic->{meta}->remove( 'PREFERENCE', 'ALLOWTOPICVIEW' );
+        # set/unset view rights
+        my $allowView = $workflow->{states}->{$state}->{allowview} || '';
+        $allowView = $controlledTopic->expandMacros($allowView);
+
+        if ($allowView) {
+            $controlledTopic->{meta}->putKeyed(
+                'PREFERENCE',
+                {
+                    name  => 'ALLOWTOPICVIEW',
+                    title => 'ALLOWTOPICVIEW',
+                    value => $allowView,
+                    type  => 'Set'
+                }
+            );
+        }
+        else {
+            $controlledTopic->{meta}->remove( 'PREFERENCE', 'ALLOWTOPICVIEW' );
+        }
     }
 
     my $key = $state;

diff --git a/lib/Foswiki/Plugins/WorkflowPlugin/Config.spec b/lib/Foswiki/Plugins/WorkflowPlugin/Config.spec
@@ -0,0 +1,14 @@
+# ---+ Extensions
+# ---++ WorkflowPlugin
+# **BOOLEAN**
+# Enable to get a report on access control decisions printed to the
+# Foswiki debug log (usually in working/logs/debug.log)
+$Foswiki::cfg{Plugins}{WorkflowPlugin}{Debug} = 0;
+# **BOOLEAN**
+# Enable this to transfer "Allow Edit" and "Allow View" column entries from the state table into
+# Foswiki ACLs (e.g. ALLOWTOPICCHANGE) when a topic is saved. Note that this is experimental
+# and is very likely to break compatibility with existing workflows, but does integrate the plugin
+# more closely with the rest of Foswiki.
+$Foswiki::cfg{Plugins}{WorkflowPlugin}{UpdateFoswikiACLs} = 0;
+
+1;