Restricting access to transitions using groups
This how-to assumes you know how to make a basic workflow already - if you don't, there are plenty of how-to's out there that can help you out.
The portal_workflow tool does not support the ability to guard transitions / worklists / variables etc. using groups but it does have a nice "expression" guard. We are going to use this as it is used to guard against many types of workflow objects. Please note that it may be possible, depending on your use case, to avoid the steps of this howto by relying on different roles, assigning different roles to different groups, and using role guards which are supported by portal_workflow.
- In your workflow, create a script called
isUserInAnyGroups(This passes in a username and up to five groups (you could use a list but I haven't gotten around to it yet) and returns true if the user is in ANY of the groups) - Go into your newly created script and use these parameters::
userid, groupid, groupid2=1, groupid3=1, groupid4=1, groupid5=1
- As code use:
#---------------- #isUserInAnyGroups #Returns all groups that user belongs to ug = context.portal_groups.getGroupsByUserId(userid) iserror = 'noerror' x = 0 #I know - I could use length as nicer code while iserror != 'error': try: if groupid != 1: if ug[x].getGroupName() == groupid: return 1 if groupid2 != 1: if ug[x].getGroupName() == groupid2: return 1 if groupid3 != 1: if ug[x].getGroupName() == groupid3: return 1 if groupid4 != 1: if ug[x].getGroupName() == groupid4: return 1 if groupid5 != 1: if ug[x].getGroupName() == groupid5: return 1 except: iserror = 'error' x = x + 1 #End while return 0 #--------------------- - Save and go to the expression guard you are using groups to guard against. Type in the following:
python: scripts.isUserInAnyGroups(request.AUTHENTICATED_USER.getUserName(), 'the_group_you_are_checking_against', 'another_group_to_check_with')
This checks up to five groups and returns true if the user is in ANY of the groups.
Now - you might need a script that checks to see if the user is in ALL of the groups Here it is:
- Create the script called isUserinAllGroups
- Set parameters as
userid, groupid, groupid2=1, groupid3=1, groupid4=1, groupid5=1 - Use code:
#-------------- #Returns all groups that user belongs to ug = context.portal_groups.getGroupsByUserId(userid) iserror = 'noerror' x = 0 #Yup - bad coding while iserror != 'error': try: if groupid != 1: if ug[x].getGroupName() == groupid: groupid = 1 if groupid2 != 1: if ug[x].getGroupName() == groupid2: groupid2 = 1 if groupid3 != 1: if ug[x].getGroupName() == groupid3: groupid3 = 1 if groupid4 != 1: if ug[x].getGroupName() == groupid4: groupid4 = 1 if groupid5 != 1: if ug[x].getGroupName() == groupid5: groupid5 = 1 if groupid == 1 and groupid2 == 1 and groupid3 == 1 and groupid4 == 1 and groupid5 == 1: #is true! return 1 except: iserror = 'error' x = x + 1 #End while return 0 #--------------------- - Save and go to expression guard.
Type in :
python: scripts.isUserInAllGroups(request.AUTHENTICATED_USER.getUserName(), 'the_group_you_are_checking_against', 'another_group_to_check_with')
Now it will only return true if the user is in ALL the groups you list (up to five).
That's it - if anyone wants to clean up my code feel free to do so - hope that helped! (Thank you simon for cleaning this up a little)
Author: 
Visit our