Commit 7782b1df authored by Jérome Perrin's avatar Jérome Perrin

officejs_support_request: take into account security when listing comments

Security might be configured in a way that even if user can see the
support request he cannot see all events related to that support
request. We should handle this case by filtering out the event and not
letting Unauthorized error happen.
parent b2b4ee87
Pipeline #5596 failed with stage
...@@ -3,6 +3,7 @@ portal = context.getPortalObject() ...@@ -3,6 +3,7 @@ portal = context.getPortalObject()
document_type_list = portal.getPortalDocumentTypeList() document_type_list = portal.getPortalDocumentTypeList()
event_list = portal.portal_simulation.getMovementHistoryList( event_list = portal.portal_simulation.getMovementHistoryList(
security_query=portal.portal_catalog.getSecurityQuery(),
portal_type=portal.getPortalEventTypeList(), portal_type=portal.getPortalEventTypeList(),
strict_follow_up_uid=context.getUid(), strict_follow_up_uid=context.getUid(),
simulation_state=('started', 'stopped', 'delivered', ), simulation_state=('started', 'stopped', 'delivered', ),
......
...@@ -357,6 +357,27 @@ class TestSupportRequestCommentOnExistingSupportRequest(SupportRequestTestCase): ...@@ -357,6 +357,27 @@ class TestSupportRequestCommentOnExistingSupportRequest(SupportRequestTestCase):
attachment_name=None,)], attachment_name=None,)],
ignoreKeys(json.loads(support_request.SupportRequest_getCommentPostListAsJson()), 'message_id')) ignoreKeys(json.loads(support_request.SupportRequest_getCommentPostListAsJson()), 'message_id'))
def test_support_request_comment_only_include_visible_events(self):
"""It should be possible to have a Support Request user can view but
with some events user cannot view. In this case, they should be filtered
out.
"""
support_request = self.portal.support_request_module.erp5_officejs_support_request_ui_test_support_reuqest_001
non_visible_event = self.portal.event_module.newContent(
portal_type='Web Message',
source_value=self.user,
follow_up_value=support_request,
resource_value=self.portal.service_module.erp5_officejs_support_request_ui_test_service_001,
text_content="<b>Secret</b> message",
start_date=DateTime(2001, 1, 1),
)
non_visible_event.start()
non_visible_event.stop()
non_visible_event.manage_permission('View', ['Manager'], 0)
self.tic()
self.assertEqual([], json.loads(support_request.SupportRequest_getCommentPostListAsJson()))
class TestSupportRequestRSS(SupportRequestTestCase): class TestSupportRequestRSS(SupportRequestTestCase):
# XXX token PAS plugin is not set up automatically when installing erp5_access_token # XXX token PAS plugin is not set up automatically when installing erp5_access_token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment