core: respect "View History" permission in ZODB History

This action should only be possible if user have View History
permission.

erp5_data_protection relies on removing the "View History" permission to
make sure users cannot see the properties before protection in the
history tab. This was supported by Base_viewHistory, but not by ZODB
History

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_getZODBHistoryList.py

+from AccessControl import getSecurityManager
+from zExceptions import Unauthorized
 from Products.ERP5Type.Document import newTempBase
 portal = context.getPortalObject()
 result = []
 
+if not getSecurityManager().getUser().has_permission('View History', context):
+  raise Unauthorized()
+
 def beautifyChange(change_dict):
   return ["%s:%s" % (k,change_dict[k]) for k in sorted(change_dict.keys())]
 

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_viewHistory/your_zodb_history.xml

@@ -164,7 +164,9 @@
                 </item>
                 <item>
                     <key> <string>enabled</string> </key>
-                    <value> <string></string> </value>
+                    <value>
+                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+                    </value>
                 </item>
                 <item>
                     <key> <string>external_validator</string> </key>
@@ -178,6 +180,10 @@
                     <key> <string>hidden</string> </key>
                     <value> <string></string> </value>
                 </item>
+                <item>
+                    <key> <string>input_type</string> </key>
+                    <value> <string></string> </value>
+                </item>
                 <item>
                     <key> <string>link_type</string> </key>
                     <value> <string></string> </value>
@@ -312,4 +318,17 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="TALESMethod" module="Products.Formulator.TALESField"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_text</string> </key>
+            <value> <string>python: modules[\'AccessControl\'].getSecurityManager().getUser().has_permission(\'View History\', context)</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/tests/testZODBHistory.py

@@ -122,6 +122,29 @@ class TestZODBHistory(ERP5TypeTestCase):
     # should be: create(1) + edit(60) = 61
     self.assertEqual(len(history_list), 61)
 
+  def test_testZODBHistorySecurity(self):
+    """
+     Make sure ZODB History is not available when user does not have "View History" permission.
+    """
+    self.loginByUserName('tatuya')
+    document = self.addOrganisation('document')
+
+    # by default, users have a link to view ZODB history in history tab
+    self.assertIn(
+        'your_zodb_history',
+        [field.getId() for field in document.Base_viewHistory.get_fields()])
+
+    # when user does not have "View History" permission, the link is not displayed
+    document.manage_permission('View History', [], 0)
+    self.assertNotIn(
+        'your_zodb_history',
+        [field.getId() for field in document.Base_viewHistory.get_fields()])
+
+    # accessing the form directly is not allowed either
+    from zExceptions import Unauthorized
+    self.assertRaises(Unauthorized, document.Base_viewZODBHistory)
+
+
 def test_suite():
   suite = unittest.TestSuite()
   suite.addTest(unittest.makeSuite(TestZODBHistory))