validate copy & paste according to ERP5Type rules (ie. "Add permission" on the

type information)


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@34474 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Type/Core/Folder.py

@@ -29,12 +29,13 @@
 
 import transaction
 from AccessControl import ClassSecurityInfo
-from Acquisition import aq_base, aq_self, aq_parent
+from Acquisition import aq_base, aq_self, aq_parent, aq_inner
 from OFS.History import Historical
 from OFS.Folder import Folder as OFSFolder
 import ExtensionClass
 
-from Products.CMFCore.utils import _getAuthenticatedUser
+from Products.CMFCore.utils import _getAuthenticatedUser, getToolByName
+from Products.CMFCore.exceptions import AccessControl_Unauthorized
 from Products.CMFCore.CMFCatalogAware import CMFCatalogAware
 from Products.CMFCore.PortalFolder import ContentFilter
 
@@ -1507,6 +1508,41 @@ class Folder(CopyContainer, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn,
         raise ValueError, "The method %s was not found" % method_id
       method(*args, **kw)
 
+  def _verifyObjectPaste(self, object, validate_src=1):
+    # To paste in an ERP5Type folder, we need to check 'Add permission'
+    # that might be defined on the sub object type information.
+    pt = getToolByName(self, 'portal_types')
+    subobject_type = pt.getTypeInfo(object)
+    if subobject_type is not None:
+      sm = getSecurityManager()
+      parent = aq_parent(aq_inner(object))
+
+      # check allowed content types
+      type_name = subobject_type.getId()
+      myType = pt.getTypeInfo(self)
+      if myType is not None and not myType.allowType(type_name):
+        raise ValueError('Disallowed subobject type: %s' % type_name)
+
+      # Check Add permission (ERPType addition)
+      add_permission = getattr(aq_base(subobject_type), 'permission', '')
+      if add_permission:
+        if not sm.checkPermission(add_permission, self):
+          raise AccessControl_Unauthorized, add_permission
+
+      # handle validate_src
+      if validate_src:
+        if not sm.validate(None, parent, None, object):
+          raise AccessControl_Unauthorized, object_id
+      if validate_src > 1:
+        if not sm.checkPermission(DeleteObjects, parent):
+          raise AccessControl_Unauthorized
+      # so far, everything OK
+      return
+    
+    # if we haven't been able to validate, pass through to parent class
+    Folder.inheritedAttribute(
+          '_verifyObjectPaste')(self, object, validate_src)
+
 
 # We browse all used class from btree and hbtree and set not implemented
 # class if one method defined on a class is not defined on other, thus if

product/ERP5Type/tests/testERP5Type.py

@@ -2564,7 +2564,16 @@ class TestPropertySheet:
 
       container.manage_permission('Manage portal', ['Anonymous'], 0)
       self.assertTrue(type_info in container.allowedContentTypes())
-      container.newContent(portal_type='Test Add Permission Document')
+      doc = container.newContent(portal_type='Test Add Permission Document')
+
+      # we can also clone such documents only with the permission registered on
+      # the type information
+      copy_data = container.manage_copyObjects([doc.getId()])
+      container.manage_pasteObjects(copy_data)
+
+      container.manage_permission('Manage portal', [], 0)
+      self.assertRaises(Unauthorized, container.manage_pasteObjects, copy_data)
+    
 
     def testPropertyListWithMonoValuedProperty(self):
       """