Commit f3a737d1 authored by Vincent Pelletier's avatar Vincent Pelletier

Rewrite comment about local roles to explain desired code behaviour.

Rewrite local roles handling code to fix a bug introduced in commit 19184: if one local roles for one user granted view permission, all local roles (except Owner) of all users were inserted in the security table. Unit test will be added soon.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@19296 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 7eae200e
...@@ -145,33 +145,33 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper): ...@@ -145,33 +145,33 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper):
if len(new_list)>0: if len(new_list)>0:
new_dict[key] = new_list new_dict[key] = new_list
localroles = new_dict localroles = new_dict
user_role_list = [] # For each local role of a user:
for role_list in localroles.values(): # If the local role grants View permission, add it.
user_role_list.extend([role for role in role_list if role not in user_role_list]) # If any local role for this user grant him the View permission, add
# Added for ERP5 project by JP Smets # them all.
# The reason why we do not want to keep Owner is because we are # Every addition implies 2 lines:
# trying to reduce the number of security definitions # user:<user_id>
# However, this is a bad idea if we start to use Owner role # user:<user_id>:<role_id>
# as a kind of bamed Assignee and if we need it for worklists. Therefore # A line must not be present twice in final result.
# we may sometimes catalog the owner user ID whenever the Owner for user, roles in localroles.iteritems():
# has view permission (see getAllowedRolesAndUsers bellow user_can_view = False
# as well as getViewPermissionOwner method in Base) # First pass: find if user has a local role granting him view
view_role_list = [role for role in user_role_list if allowed.has_key(role)] # permission.
for user, roles in localroles.items():
for role in roles: for role in roles:
if role == 'Owner':
continue
if allowed.has_key(role): if allowed.has_key(role):
user_can_view = True
break
if user_can_view:
# Second pass: add all roles if user has view mpermission.
if withnuxgroups: if withnuxgroups:
allowed[user] = 1 prefix = user
else:
allowed['user:' + user] = 1
if len(view_role_list):
#One of Roles has view Permission.
if withnuxgroups:
allowed[user + ':' + role] = 1
else: else:
allowed['user:' + user + ':' + role] = 1 prefix = 'user:' + user
allowed[prefix] = 1
for role in roles:
if role == 'Owner': # Skip this role explicitely
continue
allowed[prefix + ':' + role] = 1
return list(allowed.keys()) return list(allowed.keys())
class RelatedBaseCategory(Method): class RelatedBaseCategory(Method):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment