officejs_support_request: take into account security in RSS

There was an issue that RSS was failing with Unauthorized errors when there was some events users cannot access. (once again, thank you zope security, it was not leaking information just causing error)

officejs_support_request: take into account security in RSS
There was an issue that RSS was failing with Unauthorized errors when there was some events users cannot access. (once again, thank you zope security, it was not leaking information just causing error)
b2b4ee87 · Jérome Perrin · 4a57b536 · b2b4ee87 · b2b4ee87
Commit b2b4ee87 authored Nov 01, 2018 by Jérome Perrin
2 changed files
--- a/bt5/erp5_officejs_support_request_ui/SkinTemplateItem/portal_skins/erp5_officejs_support_request/SupportRequestModule_getEventList.py
+++ b/bt5/erp5_officejs_support_request_ui/SkinTemplateItem/portal_skins/erp5_officejs_support_request/SupportRequestModule_getEventList.py
@@ -24,6 +24,7 @@ def getSupportRequestInfo(event):

 data_list = []
 for brain in portal.portal_simulation.getMovementHistoryList(
+    security_query=portal.portal_catalog.getSecurityQuery(),
    portal_type=portal.getPortalEventTypeList(),
    only_accountable=False,
    follow_up_portal_type='Support Request',

--- a/bt5/erp5_officejs_support_request_ui_test/TestTemplateItem/portal_components/test.erp5.testSupportRequest.py
+++ b/bt5/erp5_officejs_support_request_ui_test/TestTemplateItem/portal_components/test.erp5.testSupportRequest.py
@@ -419,6 +419,25 @@ class TestSupportRequestRSS(SupportRequestTestCase):
        basic='%s:%s' % (self.user.erp5_login.getReference(), self.user_password))
    self._checkRSS(response)

+  def test_RSS_with_non_accessible_events(self):
+    non_visible_event = self.portal.event_module.newContent(
+        portal_type='Web Message',
+        source_value=self.user,
+        follow_up_value=self.support_request,
+        resource_value=self.portal.service_module.erp5_officejs_support_request_ui_test_service_001,
+        text_content="<p>This is a <em>secret event you cannot see</b></p>",
+        start_date=DateTime(2001, 1, 1),
+    )
+    non_visible_event.start()
+    non_visible_event.stop()
+    non_visible_event.manage_permission('View', ['Manager'], 0)
+    self.tic()
+
+    response = self.publish(
+        "%s/support_request_module/SupportRequestModule_viewLastSupportRequestListAsRss" % self.getWebSite().getPath(),
+        basic='%s:%s' % (self.user.erp5_login.getReference(), self.user_password))
+    self._checkRSS(response)
+
  def test_RSS_with_token(self):
    response = self.publish(
        "%s/support_request_module/SupportRequestModule_generateRSSLinkAsJson" % self.getWebSite().getPath(),