officejs_support_request: take into account security when listing comments

Security might be configured in a way that even if user can see the support request he cannot see all events related to that support request. We should handle this case by filtering out the event and not letting Unauthorized error happen.

officejs_support_request: take into account security when listing comments
Security might be configured in a way that even if user can see the support request he cannot see all events related to that support request. We should handle this case by filtering out the event and not letting Unauthorized error happen.
7782b1df · Jérome Perrin · b2b4ee87 · 7782b1df · 7782b1df
Commit 7782b1df authored Nov 01, 2018 by Jérome Perrin
2 changed files
--- a/bt5/erp5_officejs_support_request_ui/SkinTemplateItem/portal_skins/erp5_officejs_support_request/SupportRequest_getCommentPostListAsJson.py
+++ b/bt5/erp5_officejs_support_request_ui/SkinTemplateItem/portal_skins/erp5_officejs_support_request/SupportRequest_getCommentPostListAsJson.py
@@ -3,6 +3,7 @@ portal = context.getPortalObject()
 document_type_list = portal.getPortalDocumentTypeList()

 event_list = portal.portal_simulation.getMovementHistoryList(
+    security_query=portal.portal_catalog.getSecurityQuery(),
    portal_type=portal.getPortalEventTypeList(),
    strict_follow_up_uid=context.getUid(),
    simulation_state=('started', 'stopped', 'delivered', ),

--- a/bt5/erp5_officejs_support_request_ui_test/TestTemplateItem/portal_components/test.erp5.testSupportRequest.py
+++ b/bt5/erp5_officejs_support_request_ui_test/TestTemplateItem/portal_components/test.erp5.testSupportRequest.py
@@ -357,6 +357,27 @@ class TestSupportRequestCommentOnExistingSupportRequest(SupportRequestTestCase):
        attachment_name=None,)],
      ignoreKeys(json.loads(support_request.SupportRequest_getCommentPostListAsJson()), 'message_id'))

+  def test_support_request_comment_only_include_visible_events(self):
+    """It should be possible to have a Support Request user can view but
+    with some events user cannot view. In this case, they should be filtered
+    out.
+    """
+    support_request = self.portal.support_request_module.erp5_officejs_support_request_ui_test_support_reuqest_001
+    non_visible_event = self.portal.event_module.newContent(
+        portal_type='Web Message',
+        source_value=self.user,
+        follow_up_value=support_request,
+        resource_value=self.portal.service_module.erp5_officejs_support_request_ui_test_service_001,
+        text_content="<b>Secret</b> message",
+        start_date=DateTime(2001, 1, 1),
+    )
+    non_visible_event.start()
+    non_visible_event.stop()
+    non_visible_event.manage_permission('View', ['Manager'], 0)
+
+    self.tic()
+    self.assertEqual([], json.loads(support_request.SupportRequest_getCommentPostListAsJson()))
+

 class TestSupportRequestRSS(SupportRequestTestCase):
  # XXX token PAS plugin is not set up automatically when installing erp5_access_token