Make relation string field manage permission correctly.

Only display objects for which user has the right permission.
Never remove the relation to not viewable objects.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20988 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Form/Form.py

@@ -193,13 +193,19 @@ class DefaultValue(StaticValue):
       form = field.aq_parent
       ob = getattr(form, 'aq_parent', None)
       value = self.value
-      if value not in (None, ''):
-        # If a default value is defined on the field, it has precedence
-        value = ob.getProperty(self.key, d=value)
-      else:
-        # else we should give a chance to the accessor to provide
-        # a default value (including None)
-        value = ob.getProperty(self.key)
+      try:
+        if value not in (None, ''):
+          # If a default value is defined on the field, it has precedence
+          value = ob.getProperty(self.key, d=value)
+        else:
+          # else we should give a chance to the accessor to provide
+          # a default value (including None)
+          value = ob.getProperty(self.key)
+      except Unauthorized:
+        value = ob.getProperty(self.key, d=value, checked_permission='View')
+        REQUEST = get_request()
+        if REQUEST is not None:
+          REQUEST.set('read_only_%s' % self.key, 1)
     except (KeyError, AttributeError):
       value = None
     return self.returnValue(field, id, value)

product/ERP5Form/MultiRelationField.py

@@ -431,12 +431,14 @@ class MultiRelationEditor:
             set_method_name = '_set%sValue' % \
                          convertToUpperCase(self.base_category)
             getattr(o, set_method_name)(relation_object_list[0],
-                                        portal_type=self.portal_type_list)
+                                        portal_type=self.portal_type_list,
+                                        checked_permission='View')
           else:
             set_method_name = '_set%sValueList' % \
                          convertToUpperCase(self.base_category)
             getattr(o, set_method_name)(relation_object_list,
-                                        portal_type=self.portal_type_list)
+                                        portal_type=self.portal_type_list,
+                                        checked_permission='View')
 
 allow_class(MultiRelationEditor)
 

product/ERP5Form/RelationField.py

@@ -59,11 +59,18 @@ class RelationStringFieldWidget(
 
   def _generateRenderValueList(self, field, key, value, REQUEST):
 #     value = value or NO_VALUE
-    relation_field_id = field.generate_subfield_key(SUB_FIELD_ID, key=key)
-    relation_item_key = field.generate_subfield_key(ITEM_ID, key=key)
-    relation_item_list = REQUEST.get(relation_item_key, [])
-    return [(Widget.TextWidgetInstance, relation_field_id, 
-             relation_item_list, value, None)]
+
+    if REQUEST.get(
+        'read_only_%s' % REQUEST.get(
+           'field__proxyfield_%s_%s_default' % (field.id, field._p_oid), 
+           field).getId()[3:], 0):
+      return []
+    else:
+      relation_field_id = field.generate_subfield_key(SUB_FIELD_ID, key=key)
+      relation_item_key = field.generate_subfield_key(ITEM_ID, key=key)
+      relation_item_list = REQUEST.get(relation_item_key, [])
+      return [(Widget.TextWidgetInstance, relation_field_id, 
+               relation_item_list, value, None)]
 
 class RelationEditor(MultiRelationField.MultiRelationEditor):
   """