Commit 23d8edc5 authored by Julien Muchembled's avatar Julien Muchembled

For object_view forms, test action by calling it with a special parameter...

For object_view forms, test action by calling it with a special parameter instead of hardcoding required permission

Before this commit, the condition to display the 'Save' button on object_view
actions was to check whether the user has 'Modify portal content' permission.

Now, it's possible to add forms that can be saved under a different condition
than having 'Modify portal content' permission.

TODO: unit test
parent 8c90e61c
......@@ -466,16 +466,12 @@ def renderForm(traversed_document, form, response_dict, key_prefix=None, selecti
field_errors = REQUEST.get('field_errors', {})
#hardcoded
include_action = True
if form.pt == 'form_dialog':
action_to_call = "Base_callDialogMethod"
else:
action_to_call = form.action
if (action_to_call == 'Base_edit') and (not portal.portal_membership.checkPermission('Modify portal content', traversed_document)):
# prevent allowing editing if user doesn't have permission
include_action = False
action_to_call = form.getAction(traversed_document)
if (include_action):
if action_to_call:
# Form action
response_dict['_actions'] = {
'put': {
......
......@@ -8,7 +8,7 @@
form nocall: form | nothing;
form_id form/id | template/id | nothing;
portal here/getPortalObject;
form_action python: form and form.action not in ('', None) and portal.portal_membership.checkPermission('Modify portal content', here) and form.action or nothing;
form_action python: form and form.getAction(here);
local_parameter_list local_parameter_list | python: {};
dummy python: local_parameter_list.update({'object_uid': object_uid, 'object_path': object_path, 'form_id': form_id});
title python: '%s - %s' % (portal.Base_translateString(template.title_or_id()), here.getTitle());
......
......@@ -41,6 +41,7 @@ from Products.ERP5Type import PropertySheet, Permissions
from urllib import quote
from Products.ERP5Type.Globals import DTMLFile, get_request
from AccessControl import Unauthorized, ClassSecurityInfo
from AccessControl.ZopeGuards import guarded_getattr
from DateTime import DateTime
from ZODB.POSException import ConflictError
from zExceptions import Redirect
......@@ -1292,6 +1293,22 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
return str((self.pt, self.name, self.action, self.update_action,
self.encoding, self.stored_encoding, self.enctype))
def getAction(self, context):
action = self.action
if action:
try:
m = guarded_getattr(context, action)
except Unauthorized:
pass
else:
code = m.func_code
args = code.co_varnames[:code.co_argcount]
if (m(form_id=self.id, check_security=1) if 'form_id' in args else
m(check_security=1)) if 'check_security' in args else \
context.getPortalObject().portal_membership.checkPermission(
'Modify portal content', context):
return action
# utility function
def get_field_meta_type_and_proxy_flag(field):
if field.meta_type=='ProxyField':
......
......@@ -82,8 +82,8 @@ def getRoles(ob):
def _checkGuard(guard, ob):
# returns 1 if guard passes against ob, else 0.
# TODO : implement TALES evaluation by defining an appropriate
# context.
# NOTE: Do not implement TALES evaluation like on workflow transition.
# See also https://lab.nexedi.com/nexedi/erp5/merge_requests/133
if guard.permissions:
# Require at least one role for required roles for the given permission.
u_roles = getRoles(ob)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment