Index: openacs-4/contrib/packages/simulation/www/simbuild/role-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/contrib/packages/simulation/www/simbuild/Attic/role-edit.tcl,v
diff -u -r1.4 -r1.5
--- openacs-4/contrib/packages/simulation/www/simbuild/role-edit.tcl	2 Dec 2003 17:24:32 -0000	1.4
+++ openacs-4/contrib/packages/simulation/www/simbuild/role-edit.tcl	9 Dec 2003 09:52:44 -0000	1.5
@@ -46,9 +46,9 @@
         {html {size 20}}
     }
 } -edit_request {
-    permission::require_write_permission -object_id $role_id    
     workflow::role::get -role_id $role_id -array role_array
     set workflow_id $role_array(workflow_id)
+    permission::require_write_permission -object_id $workflow_id
     set name $role_array(pretty_name)
     workflow::get -workflow_id $workflow_id -array sim_template_array
     set page_title "Edit Role template $name"
@@ -68,7 +68,12 @@
         -role_pretty_name $name
 
 } -edit_data {
-    permission::require_write_permission -object_id $role_id        
+    workflow::role::get -role_id $role_id -array role_array
+    # We use role_array(workflow_id) here, which is gotten from the DB, and not
+    # workflow_id, which is gotten from the form, because the workflow_id from the form 
+    # could be spoofed
+    permission::require_write_permission -object_id $role_array(workflow_id)
+
     set role_array(pretty_name) $name
 
     workflow::role::edit \
Index: openacs-4/contrib/packages/simulation/www/simbuild/task-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/contrib/packages/simulation/www/simbuild/Attic/task-edit.tcl,v
diff -u -r1.5 -r1.6
--- openacs-4/contrib/packages/simulation/www/simbuild/task-edit.tcl	2 Dec 2003 17:24:32 -0000	1.5
+++ openacs-4/contrib/packages/simulation/www/simbuild/task-edit.tcl	9 Dec 2003 09:52:45 -0000	1.6
@@ -82,9 +82,8 @@
         {html {cols 60 rows 8}}
     }
 } -edit_request {
-    permission::require_write_permission -object_id $action_id
-    # TODO - get the recipient (and put all this in simulation api)
     set workflow_id $task_array(workflow_id)
+    permission::require_write_permission -object_id $workflow_id
     set name $task_array(pretty_name)
     set description [template::util::richtext::create $task_array(description) $task_array(description_mime_type)]
     set recipient_role_id [db_string select_recipient {
@@ -124,7 +123,10 @@
         values (:action_id, :recipient_role_id)
     }
 } -edit_data {
-    permission::require_write_permission -object_id $action_id
+    # We use task_array(workflow_id) here, which is gotten from the DB, and not
+    # workflow_id, which is gotten from the form, because the workflow_id from the form 
+    # could be spoofed
+    permission::require_write_permission -object_id $task_array(workflow_id)
     simulation::action::edit \
         -action_id $action_id \
         -short_name $name \
Index: openacs-4/contrib/packages/simulation/www/simbuild/template-edit.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/contrib/packages/simulation/www/simbuild/Attic/template-edit.adp,v
diff -u -r1.4 -r1.5
--- openacs-4/contrib/packages/simulation/www/simbuild/template-edit.adp	3 Dec 2003 15:00:50 -0000	1.4
+++ openacs-4/contrib/packages/simulation/www/simbuild/template-edit.adp	9 Dec 2003 09:52:45 -0000	1.5
@@ -16,11 +16,14 @@
   <h4>Roles</h4>
 
   <include src="/packages/simulation/lib/sim-template-roles" workflow_id="@workflow_id@" display_mode="edit">
+  <p></p>
 
   <h4>Tasks</h4>
 
   <include src="/packages/simulation/lib/sim-template-tasks" workflow_id="@workflow_id@" display_mode="edit" >
 </if>
+<P>TODO: Allow sorting of roles, (states), tasks.</p>
+
 <p>MOCKUP: workflow matrix
 <table cellpadding=3 border=1 cellspacing=0>
 <tr><th></th><th>Talking to Client</th><th>Prepare Case</th><th>Submit
@@ -29,4 +32,4 @@
 <tr><th>Respond to Ask information </th><th>X</th><th></th><th></th></tr>
 <tr><th>INtervene</th><th>X</th><th>X</th><th>X</th></tr>
 <tr><th><input type="submit" value="add task"></th></tr>
-</table>
\ No newline at end of file
+</table>
Index: openacs-4/contrib/packages/simulation/www/simbuild/template-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/contrib/packages/simulation/www/simbuild/Attic/template-edit.tcl,v
diff -u -r1.5 -r1.6
--- openacs-4/contrib/packages/simulation/www/simbuild/template-edit.tcl	2 Dec 2003 17:24:32 -0000	1.5
+++ openacs-4/contrib/packages/simulation/www/simbuild/template-edit.tcl	9 Dec 2003 09:52:45 -0000	1.6
@@ -27,11 +27,13 @@
 
 if { [ad_form_new_p -key workflow_id] } {
     set mode edit
+    set cancel_url .
 } else {
     set mode display
+    set cancel_url [export_vars -base [ad_conn url] { workflow_id }]
 }
 
-ad_form -name sim_template -mode $mode -cancel_url . -form {
+ad_form -name sim_template -mode $mode -cancel_url $cancel_url -form {
     {workflow_id:key}
     {name:text,optional
         {label "Template Name"}
Index: openacs-4/packages/simulation/www/simbuild/role-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/simulation/www/simbuild/role-edit.tcl,v
diff -u -r1.4 -r1.5
--- openacs-4/packages/simulation/www/simbuild/role-edit.tcl	2 Dec 2003 17:24:32 -0000	1.4
+++ openacs-4/packages/simulation/www/simbuild/role-edit.tcl	9 Dec 2003 09:52:44 -0000	1.5
@@ -46,9 +46,9 @@
         {html {size 20}}
     }
 } -edit_request {
-    permission::require_write_permission -object_id $role_id    
     workflow::role::get -role_id $role_id -array role_array
     set workflow_id $role_array(workflow_id)
+    permission::require_write_permission -object_id $workflow_id
     set name $role_array(pretty_name)
     workflow::get -workflow_id $workflow_id -array sim_template_array
     set page_title "Edit Role template $name"
@@ -68,7 +68,12 @@
         -role_pretty_name $name
 
 } -edit_data {
-    permission::require_write_permission -object_id $role_id        
+    workflow::role::get -role_id $role_id -array role_array
+    # We use role_array(workflow_id) here, which is gotten from the DB, and not
+    # workflow_id, which is gotten from the form, because the workflow_id from the form 
+    # could be spoofed
+    permission::require_write_permission -object_id $role_array(workflow_id)
+
     set role_array(pretty_name) $name
 
     workflow::role::edit \
Index: openacs-4/packages/simulation/www/simbuild/task-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/simulation/www/simbuild/task-edit.tcl,v
diff -u -r1.5 -r1.6
--- openacs-4/packages/simulation/www/simbuild/task-edit.tcl	2 Dec 2003 17:24:32 -0000	1.5
+++ openacs-4/packages/simulation/www/simbuild/task-edit.tcl	9 Dec 2003 09:52:45 -0000	1.6
@@ -82,9 +82,8 @@
         {html {cols 60 rows 8}}
     }
 } -edit_request {
-    permission::require_write_permission -object_id $action_id
-    # TODO - get the recipient (and put all this in simulation api)
     set workflow_id $task_array(workflow_id)
+    permission::require_write_permission -object_id $workflow_id
     set name $task_array(pretty_name)
     set description [template::util::richtext::create $task_array(description) $task_array(description_mime_type)]
     set recipient_role_id [db_string select_recipient {
@@ -124,7 +123,10 @@
         values (:action_id, :recipient_role_id)
     }
 } -edit_data {
-    permission::require_write_permission -object_id $action_id
+    # We use task_array(workflow_id) here, which is gotten from the DB, and not
+    # workflow_id, which is gotten from the form, because the workflow_id from the form 
+    # could be spoofed
+    permission::require_write_permission -object_id $task_array(workflow_id)
     simulation::action::edit \
         -action_id $action_id \
         -short_name $name \
Index: openacs-4/packages/simulation/www/simbuild/template-edit.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/simulation/www/simbuild/template-edit.adp,v
diff -u -r1.4 -r1.5
--- openacs-4/packages/simulation/www/simbuild/template-edit.adp	3 Dec 2003 15:00:50 -0000	1.4
+++ openacs-4/packages/simulation/www/simbuild/template-edit.adp	9 Dec 2003 09:52:45 -0000	1.5
@@ -16,11 +16,14 @@
   <h4>Roles</h4>
 
   <include src="/packages/simulation/lib/sim-template-roles" workflow_id="@workflow_id@" display_mode="edit">
+  <p></p>
 
   <h4>Tasks</h4>
 
   <include src="/packages/simulation/lib/sim-template-tasks" workflow_id="@workflow_id@" display_mode="edit" >
 </if>
+<P>TODO: Allow sorting of roles, (states), tasks.</p>
+
 <p>MOCKUP: workflow matrix
 <table cellpadding=3 border=1 cellspacing=0>
 <tr><th></th><th>Talking to Client</th><th>Prepare Case</th><th>Submit
@@ -29,4 +32,4 @@
 <tr><th>Respond to Ask information </th><th>X</th><th></th><th></th></tr>
 <tr><th>INtervene</th><th>X</th><th>X</th><th>X</th></tr>
 <tr><th><input type="submit" value="add task"></th></tr>
-</table>
\ No newline at end of file
+</table>
Index: openacs-4/packages/simulation/www/simbuild/template-edit.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/simulation/www/simbuild/template-edit.tcl,v
diff -u -r1.5 -r1.6
--- openacs-4/packages/simulation/www/simbuild/template-edit.tcl	2 Dec 2003 17:24:32 -0000	1.5
+++ openacs-4/packages/simulation/www/simbuild/template-edit.tcl	9 Dec 2003 09:52:45 -0000	1.6
@@ -27,11 +27,13 @@
 
 if { [ad_form_new_p -key workflow_id] } {
     set mode edit
+    set cancel_url .
 } else {
     set mode display
+    set cancel_url [export_vars -base [ad_conn url] { workflow_id }]
 }
 
-ad_form -name sim_template -mode $mode -cancel_url . -form {
+ad_form -name sim_template -mode $mode -cancel_url $cancel_url -form {
     {workflow_id:key}
     {name:text,optional
         {label "Template Name"}