Commit 8e20c0eb authored by Georgios Dagkakis's avatar Georgios Dagkakis

erp5_crm: Skip unauthorised items in Ticket_getResourceItemList

For example, Categories in "expired" state.

As a consequence, user is included in cache key.


/reviewed-on !899
parent 2c51448e
...@@ -38,7 +38,9 @@ getPreferredCategoryChildItemListMethodId. ...@@ -38,7 +38,9 @@ getPreferredCategoryChildItemListMethodId.
# - all resource child must be properly indented # - all resource child must be properly indented
# It is much simpler if only "empty_category=False" case is handled. # It is much simpler if only "empty_category=False" case is handled.
from Products.ERP5Type.Cache import CachingMethod from Products.ERP5Type.Cache import CachingMethod
from AccessControl import getSecurityManager
portal = context.getPortalObject() portal = context.getPortalObject()
checkPermission = portal.portal_membership.checkPermission
portal_preferences = portal.portal_preferences portal_preferences = portal.portal_preferences
if use_relative_url is None: if use_relative_url is None:
use_relative_url = portal_preferences.getPreference( use_relative_url = portal_preferences.getPreference(
...@@ -90,7 +92,7 @@ def getResourceItemList(): ...@@ -90,7 +92,7 @@ def getResourceItemList():
append = result.append append = result.append
extend = result.extend extend = result.extend
for _, caption, grand_child_list in sorted( for _, caption, grand_child_list in sorted(
[(x.getIntIndex(), getCategoryTitle(x, depth), recurse(x, depth + 1)) for x in child_list], [(x.getIntIndex(), getCategoryTitle(x, depth), recurse(x, depth + 1)) for x in child_list if checkPermission('View', x)],
key=lambda x: x[:2], key=lambda x: x[:2],
): ):
if grand_child_list or empty_category: if grand_child_list or empty_category:
...@@ -99,7 +101,7 @@ def getResourceItemList(): ...@@ -99,7 +101,7 @@ def getResourceItemList():
extend(grand_child_list) extend(grand_child_list)
return result return result
category = portal.portal_categories.getCategoryValue(use_relative_url, base_category='use') category = portal.portal_categories.getCategoryValue(use_relative_url, base_category='use')
if category is None: if category is None or not checkPermission('View', category):
return [] return []
return recurse(category, 0) return recurse(category, 0)
...@@ -113,6 +115,7 @@ result = CachingMethod( ...@@ -113,6 +115,7 @@ result = CachingMethod(
accessor_id, accessor_id,
bool(empty_category), bool(empty_category),
use_relative_url, use_relative_url,
getSecurityManager().getUser().getId(),
), ),
cache_factory='erp5_ui_long', cache_factory='erp5_ui_long',
)() )()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment