Make relation string field manage permission correctly.

Only display objects for which user has the right permission.
Never remove the relation to not viewable objects.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20988 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Form/Form.py

@@ -193,6 +193,7 @@ class DefaultValue(StaticValue):
       form = field.aq_parent
       ob = getattr(form, 'aq_parent', None)
       value = self.value
+      try:
         if value not in (None, ''):
           # If a default value is defined on the field, it has precedence
           value = ob.getProperty(self.key, d=value)
@@ -200,6 +201,11 @@ class DefaultValue(StaticValue):
           # else we should give a chance to the accessor to provide
           # a default value (including None)
           value = ob.getProperty(self.key)
+      except Unauthorized:
+        value = ob.getProperty(self.key, d=value, checked_permission='View')
+        REQUEST = get_request()
+        if REQUEST is not None:
+          REQUEST.set('read_only_%s' % self.key, 1)
     except (KeyError, AttributeError):
       value = None
     return self.returnValue(field, id, value)

product/ERP5Form/MultiRelationField.py

@@ -431,12 +431,14 @@ class MultiRelationEditor:
             set_method_name = '_set%sValue' % \
                          convertToUpperCase(self.base_category)
             getattr(o, set_method_name)(relation_object_list[0],
-                                        portal_type=self.portal_type_list)
+                                        portal_type=self.portal_type_list,
+                                        checked_permission='View')
           else:
             set_method_name = '_set%sValueList' % \
                          convertToUpperCase(self.base_category)
             getattr(o, set_method_name)(relation_object_list,
-                                        portal_type=self.portal_type_list)
+                                        portal_type=self.portal_type_list,
+                                        checked_permission='View')
 
 allow_class(MultiRelationEditor)
 

product/ERP5Form/RelationField.py

@@ -59,6 +59,13 @@ class RelationStringFieldWidget(
 
   def _generateRenderValueList(self, field, key, value, REQUEST):
 #     value = value or NO_VALUE
+
+    if REQUEST.get(
+        'read_only_%s' % REQUEST.get(
+           'field__proxyfield_%s_%s_default' % (field.id, field._p_oid), 
+           field).getId()[3:], 0):
+      return []
+    else:
       relation_field_id = field.generate_subfield_key(SUB_FIELD_ID, key=key)
       relation_item_key = field.generate_subfield_key(ITEM_ID, key=key)
       relation_item_list = REQUEST.get(relation_item_key, [])