erp5_hal_json_style: relationfield is rendered as no editable with empty value...

erp5_hal_json_style: relationfield is rendered as no editable with empty value when user can't access related document

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py

@@ -7,6 +7,7 @@ import datetime
 import time
 from email.Utils import formatdate
 import re
+from zExceptions import Unauthorized
 
 if REQUEST is None:
   REQUEST = context.REQUEST
@@ -209,10 +210,16 @@ def renderField(traversed_document, field, form, value=None, meta_type=None, key
 
       accessor_name = 'get%sValueList' % \
         ''.join([part.capitalize() for part in base_category.split('_')])
-      jump_reference_list = getattr(traversed_document, accessor_name)(
-        portal_type=[x[0] for x in field.get_value('portal_type')],
-        filter=kw
-      ) or []
+      try:
+        jump_reference_list = getattr(traversed_document, accessor_name)(
+          portal_type=[x[0] for x in field.get_value('portal_type')],
+          filter=kw
+        ) or []
+      except Unauthorized:
+        jump_reference_list = []
+        result.update({
+          "editable": False 
+        })
     query = url_template_dict["jio_search_template"] % {
       "query": make_query({"query": sql_catalog.buildQuery(
         {"portal_type": portal_type_list}

bt5/erp5_web_renderjs_ui_test/PathTemplateItem/portal_tests/renderjs_ui_relation_field_zuite/testAccessUnauthorizedRelationValue.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>content_type</string> </key>
+            <value> <string>text/html</string> </value>
+        </item>
+        <item>
+            <key> <string>expand</string> </key>
+            <value> <int>0</int> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>testAccessUnauthorizedRelationValue</string> </value>
+        </item>
+        <item>
+            <key> <string>output_encoding</string> </key>
+            <value> <string>utf-8</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <unicode></unicode> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_web_renderjs_ui_test/PathTemplateItem/portal_tests/renderjs_ui_relation_field_zuite/testAccessUnauthorizedRelationValue.zpt

+<html xmlns:tal="http://xml.zope.org/namespaces/tal"
+      xmlns:metal="http://xml.zope.org/namespaces/metal">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Test RenderJS UI</title>
+</head>
+<body>
+<table cellpadding="1" cellspacing="1" border="1">
+<thead>
+<tr><td rowspan="1" colspan="3">Test RenderJS UI</td></tr>
+</thead><tbody>
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
+
+<!-- Clean Up -->
+<tr>
+  <td>open</td>
+  <td>${base_url}/foo_module/ListBoxZuite_reset</td>
+  <td></td>
+</tr>
+<tr>
+  <td>assertTextPresent</td>
+  <td>Reset Successfully.</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>open</td>
+  <td>${base_url}/Foo_createHasUnauthorizedFoo</td>
+  <td></td>
+</tr>
+<tr>
+  <td>waitForTextPresent</td>
+  <td>Done</td>
+  <td></td>
+</tr>
+
+<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/wait_for_activities" />
+
+
+<!-- Initialize -->
+<tr>
+  <td>open</td>
+  <td>${base_url}/web_site_module/renderjs_runner/#/foo_module</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//a[contains(text(), 'hasAccessUnauthorized')]</td>
+  <td></td>
+</tr>
+
+
+<tr>
+  <td>click</td>
+  <td>//a[contains(text(), 'hasAccessUnauthorized')]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//a[@data-i18n="Editable"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>click</td>
+  <td>//a[@data-i18n="Editable"]</td>
+  <td></td>
+</tr>
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//button[@data-i18n="Save"]</td>
+  <td></td>
+</tr>
+
+
+<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/go_to_foo_relation_field_view" />
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//button[@data-i18n="Save"]</td>
+  <td></td>
+</tr>
+
+
+<tr>
+  <td>waitForElementPresent</td>
+  <td>//label[@for="field_my_successor_title"]</td>
+  <td></td>
+</tr>
+
+
+<tr>
+  <td>verifyElementNotPresent</td>
+  <td>//div[@data-gadget-scope="field_my_successor_title"]//input</td>
+  <td></td>
+</tr>
+
+
+
+
+</tbody></table>
+</body>
+</html>
\ No newline at end of file

bt5/erp5_web_renderjs_ui_test/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui_test/Foo_createHasUnauthorizedFoo.py

+foo1 = context.foo_module.newContent(portal_type='Foo')
+foo2 = context.foo_module.newContent(portal_type='Foo')
+foo1.setTitle('hasAccessUnauthorized')
+foo1.setSuccessorValue(foo2)
+
+foo1.immediateReindexObject()
+foo2.immediateReindexObject()
+
+
+
+foo2.activate().manage_permission( 'Access contents information', 'Manager', 0)
+
+return 'Done'

bt5/erp5_web_renderjs_ui_test/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui_test/Foo_createHasUnauthorizedFoo.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string></string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>Foo_createHasUnauthorizedFoo</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

[Vincent Pelletier]

Why call immediateReindexObject ? I see the next sequence step is precisely to wait for any pending activity to finish, so I do not understand these 2 lines.

/cc @romain

[Xiaowu Zhang]

@vpelletier without those 2 lines, foo1 and foo2 may get randomly recursiveImmediateReindexObject failure, the error is:

Exception Type	Unauthorized
Exception Value	You are not allowed to access 'isResourceType' in this context

then test will fail

so i think reindex should be done before change permission of foo2 is done

[Jérome Perrin]

Can it be related with the fact that we passing roles as a string where method expect a sequence ?

( see https://github.com/zopefoundation/AccessControl/blob/1b5488a478a80c44586db845c5c817f336590a5d/src/AccessControl/interfaces.py#L119 )

My guess is that this grants permission to ['M', 'a', 'n', 'a', 'g', 'e', 'r'] , but it's an interesting error. I should not be a problem to reindex a document on which Manager role does not have any permission.

[Vincent Pelletier]

@xiaowu.zhang : Did you check Jerome's guess ?