For object_view forms, test action by calling it with a special parameter...

For object_view forms, test action by calling it with a special parameter instead of hardcoding required permission

Before this commit, the condition to display the 'Save' button on object_view
actions was to check whether the user has 'Modify portal content' permission.

Now, it's possible to add forms that can be saved under a different condition
than having 'Modify portal content' permission.

TODO: unit test

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py

@@ -466,16 +466,12 @@ def renderForm(traversed_document, form, response_dict, key_prefix=None, selecti
   field_errors = REQUEST.get('field_errors', {})
 
   #hardcoded
-  include_action = True
   if form.pt == 'form_dialog':
     action_to_call = "Base_callDialogMethod"
   else:
-    action_to_call = form.action
-  if (action_to_call == 'Base_edit') and (not portal.portal_membership.checkPermission('Modify portal content', traversed_document)):
-    # prevent allowing editing if user doesn't have permission
-    include_action = False
+    action_to_call = form.getAction(traversed_document)
 
-  if (include_action):
+  if action_to_call:
     # Form action
     response_dict['_actions'] = {
       'put': {

product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt

@@ -8,7 +8,7 @@
               form                 nocall: form | nothing;
               form_id              form/id | template/id | nothing;
               portal               here/getPortalObject;
-              form_action          python: form and form.action not in ('', None) and portal.portal_membership.checkPermission('Modify portal content', here) and form.action or nothing;
+              form_action          python: form and form.getAction(here);
               local_parameter_list local_parameter_list | python: {};
               dummy                python: local_parameter_list.update({'object_uid': object_uid, 'object_path': object_path, 'form_id': form_id});
               title                python: '%s - %s' % (portal.Base_translateString(template.title_or_id()), here.getTitle());

product/ERP5Form/Form.py

@@ -41,6 +41,7 @@ from Products.ERP5Type import PropertySheet, Permissions
 from urllib import quote
 from Products.ERP5Type.Globals import DTMLFile, get_request
 from AccessControl import Unauthorized, ClassSecurityInfo
+from AccessControl.ZopeGuards import guarded_getattr
 from DateTime import DateTime
 from ZODB.POSException import ConflictError
 from zExceptions import Redirect
@@ -1292,6 +1293,22 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
       return str((self.pt, self.name, self.action, self.update_action,
                   self.encoding, self.stored_encoding, self.enctype))
 
+    def getAction(self, context):
+      action = self.action
+      if action:
+        try:
+          m = guarded_getattr(context, action)
+        except Unauthorized:
+          pass
+        else:
+          code = m.func_code
+          args = code.co_varnames[:code.co_argcount]
+          if (m(form_id=self.id, check_security=1) if 'form_id' in args else
+              m(check_security=1)) if 'check_security' in args else \
+             context.getPortalObject().portal_membership.checkPermission(
+                'Modify portal content', context):
+            return action
+
 # utility function
 def get_field_meta_type_and_proxy_flag(field):
     if field.meta_type=='ProxyField':

product/ERP5Type/patches/PythonScript.py

@@ -82,8 +82,8 @@ def getRoles(ob):
 
 def _checkGuard(guard, ob):
   # returns 1 if guard passes against ob, else 0.
-  # TODO : implement TALES evaluation by defining an appropriate
-  # context.
+  # NOTE: Do not implement TALES evaluation like on workflow transition.
+  #       See also https://lab.nexedi.com/nexedi/erp5/merge_requests/133
   if guard.permissions:
     # Require at least one role for required roles for the given permission.
     u_roles = getRoles(ob)