notification_tool: fix Unauthorized when sending message to person user cannot access

product/ERP5/Tool/NotificationTool.py

@@ -288,7 +288,7 @@ class NotificationTool(BaseTool):
     searchUsers = self.acl_users.searchUsers
     def getUserValueByUserId(user_id):
       user, = searchUsers(id=user_id, exact_match=True)
-      return portal.restrictedTraverse(user['path'])
+      return portal.unrestrictedTraverse(user['path'])
 
     if notifier_list is None:
       # XXX TODO: Use priority_level. Need to implement default notifier query system.

product/ERP5/tests/testNotificationTool.py

@@ -485,6 +485,29 @@ Yes, I will go."""
     sequence_list.addSequenceString(sequence_string)
     sequence_list.play(self)
 
+  def stepCheckNotificationWithoutPermissionOnRecipient(self, sequence=None):
+    """
+    Check that notification is send by user who cannot see recipient
+    """
+    self.logout()
+    self.portal.portal_notifications.sendMessage(
+        recipient=sequence['user_a_id'], subject='Subject', message='Message')
+    last_message = self.portal.MailHost._last_message
+    self.assertNotEquals((), last_message)
+
+  def test_permission_on_recipient_not_needed(self):
+    """Notification Tool can be used to send Messages even when user does not
+    have permission on sender or recipent documents.
+    """
+    sequence_list = SequenceList()
+    sequence_string = '\
+        AddUserA \
+        Tic \
+        CheckNotificationWithoutPermissionOnRecipient \
+        '
+    sequence_list.addSequenceString(sequence_string)
+    sequence_list.play(self)
+
 
 class TestNotificationToolWithCRM(TestNotificationTool):
   """Make sure that notification tool works with crm"""