(WIP) PythonScript: add a keep_local_roles checkbox in manage_proxyForm

product/ERP5Type/patches/PythonScript.py

@@ -18,10 +18,13 @@ from . import PatchClass
 from AccessControl import ClassSecurityInfo, getSecurityManager
 from AccessControl.class_init import InitializeClass
 from AccessControl.PermissionRole import rolesForPermissionOn
+from AccessControl.requestmethod import requestmethod
 from OFS.misc_ import p_
 from App.ImageFile import ImageFile
 from Acquisition import aq_base, aq_parent
 from zExceptions import Forbidden
+from App.Dialogs import MessageDialog
+from Shared.DC.Scripts.Script import defaultBindings
 
 ### Guards
 
@@ -74,11 +77,14 @@ def getGuard(self):
 def getRoles(ob):
   sm = getSecurityManager()
   stack = sm._context.stack
+  local_roles = sm.getUser().getRolesInContext(ob)
   if stack:
     proxy_roles = getattr(stack[-1], '_proxy_roles', None)
     if proxy_roles:
+      if self.keep_local_roles:
+        return set(proxy_roles + local_roles)
       return set(proxy_roles)
-  return set(sm.getUser().getRolesInContext(ob))
+  return set(local_roles)
 
 def _checkGuard(guard, ob):
   # returns 1 if guard passes against ob, else 0.
@@ -181,12 +187,32 @@ class _(PatchClass(PythonScript)):
   security.declarePublic("render")
   render = __call__
 
+  def __init__(self, id):
+      self.id = id
+      self.ZBindings_edit(defaultBindings)
+      self.keep_local_roles = False
+      self._makeFunction()
+
+  @requestmethod('POST')
+  def manage_proxy(self, roles=(), keep_local_roles=False, REQUEST=None):
+      "Change Proxy Roles"
+      self._validateProxy(roles)
+      self._validateProxy()
+      self.ZCacheable_invalidate()
+      self._proxy_roles=tuple(roles)
+      self.keep_local_roles=keep_local_roles
+      if REQUEST: return MessageDialog(
+                  title  ='Success!',
+                  message='Your changes have been saved',
+                  action ='manage_main')
+
   # For __render_with_namespace__ (we prefer to monkey-patch __call__
   # because it's called more often, and this makes debugging easier)
   _orig_bindAndExec = PythonScript._bindAndExec
   def _bindAndExec(self, args, kw, caller_namespace):
     return self(*args, **kw) # caller_namespace not used by PythonScript
 
+PythonScript.manage_proxyForm = DTMLFile('dtml/manageProxyForm', globals())
 addGuard(PythonScript, 'Change Python Scripts')
 
 InitializeClass(PythonScript)

product/ERP5Type/patches/dtml/manageProxyForm.dtml

+<dtml-var manage_page_header>
+<dtml-var manage_tabs>
+
+<p class="form-help">
+Proxy roles allow you to control the access that a script has. Proxy roles 
+replace the roles of the user who is executing the script. This can be used 
+to both expand and limit access to resources. Select the proxy roles for 
+this object from the list below.
+</p>
+
+<form action="manage_proxy" method="post">
+<table cellpadding="2" cellspacing="0" border="0">
+<tr>
+<tr>
+  <td align="left" valign="top">
+  <div class="form-label">
+  Proxy Roles
+  </div>
+  </td>
+  <td align="left" valign="top">
+  <div class="form-element">
+  <select name="roles:list" size="7" multiple>
+  <dtml-in valid_roles>
+  <dtml-if expr="_vars['sequence-item'] != 'Shared'">
+  <option <dtml-if 
+   expr="manage_haveProxy(_vars['sequence-item'])">selected</dtml-if
+  >>&dtml-sequence-item;</option>
+  </dtml-if>
+  </dtml-in valid_roles>
+  </select>
+  </div>
+  </td>
+</tr>
+<tr>
+  <td align="left" valign="top">
+  <div class="form-label">
+  Keep Local Roles
+  </div>
+  </td>
+  <td align="left" valign="top">
+  <input type="checkbox" name="keep_local_roles:boolean" value="1"
+    <dtml-if "keep_local_roles">checked</dtml-if>
+  </td>
+  <td>
+  <span class="form-help">(check if you want local roles also to be computed)</span>
+  </td>
+</tr>
+<tr>
+  <td align="left" valign="top" colspan="2">
+  <div class="form-element">
+  <input class="form-element" type="submit" name="SUBMIT" value="Save Changes">
+  </div>
+  </td>
+</tr>
+</table>
+
+</form>
+
+<dtml-var manage_page_footer>