diff --git a/bt5/erp5_crm/SkinTemplateItem/portal_skins/erp5_crm/Ticket_getResourceItemList.py b/bt5/erp5_crm/SkinTemplateItem/portal_skins/erp5_crm/Ticket_getResourceItemList.py index 113a571907d5852be7794e9b03180f7465e92f13..dc094729825f88b7b6ff787ed3385b0350eb069d 100644 --- a/bt5/erp5_crm/SkinTemplateItem/portal_skins/erp5_crm/Ticket_getResourceItemList.py +++ b/bt5/erp5_crm/SkinTemplateItem/portal_skins/erp5_crm/Ticket_getResourceItemList.py @@ -38,7 +38,9 @@ getPreferredCategoryChildItemListMethodId. # - all resource child must be properly indented # It is much simpler if only "empty_category=False" case is handled. from Products.ERP5Type.Cache import CachingMethod +from AccessControl import getSecurityManager portal = context.getPortalObject() +checkPermission = portal.portal_membership.checkPermission portal_preferences = portal.portal_preferences if use_relative_url is None: use_relative_url = portal_preferences.getPreference( @@ -90,7 +92,7 @@ def getResourceItemList(): append = result.append extend = result.extend for _, caption, grand_child_list in sorted( - [(x.getIntIndex(), getCategoryTitle(x, depth), recurse(x, depth + 1)) for x in child_list], + [(x.getIntIndex(), getCategoryTitle(x, depth), recurse(x, depth + 1)) for x in child_list if checkPermission('View', x)], key=lambda x: x[:2], ): if grand_child_list or empty_category: @@ -99,7 +101,7 @@ def getResourceItemList(): extend(grand_child_list) return result category = portal.portal_categories.getCategoryValue(use_relative_url, base_category='use') - if category is None: + if category is None or not checkPermission('View', category): return [] return recurse(category, 0) @@ -113,6 +115,7 @@ result = CachingMethod( accessor_id, bool(empty_category), use_relative_url, + getSecurityManager().getUser().getId(), ), cache_factory='erp5_ui_long', )()