Check action guard instead of hardcoding required permission for object_view forms

Before this commit, the condition to display the 'Save' button on object_view
actions was to check whether the user has 'Modify portal content' permission.

This check is moved to all scripts that are used as form action
(e.g. Base_edit), using guards.

Now, it's possible to add forms that can be saved under a different condition
than having 'Modify portal content' permission.

bt5/erp5_content_translation/SkinTemplateItem/portal_skins/erp5_content_translation/Base_editContentTranslationMessage.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', dialog_id=\'\', ignore_layout=0, editable_mode=1, silent_mode=0, field_prefix=\'my_\'</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editContentTranslationMessage</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_knowledge_pad/SkinTemplateItem/portal_skins/erp5_knowledge_pad/KnowledgeBox_baseEdit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, form_fields_main_prefix, box_relative_url, gadget_redirect_url=None, synchronous_mode=True</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>KnowledgeBox_baseEdit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_run_my_doc/SkinTemplateItem/portal_skins/erp5_run_my_doc/Review_editAnnotationList.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>listbox_uid</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Review_editAnnotationList</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_simulation/SkinTemplateItem/portal_skins/erp5_simulation/Base_editConfiguration.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id=\'view\', selection_index=0, selection_name=\'\', ignore_layout=0, editable_mode=1</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editConfiguration</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_edit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', dialog_id=\'\', ignore_layout=0, editable_mode=1, silent_mode=0, field_prefix=\'my_\', key_prefix=None, listbox_edit=None, message_only=False</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_edit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_editTranslationDomainList.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, *args, **kw</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editTranslationDomainList</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Predicate_edit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', ignore_layout=0, editable_mode=1</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Predicate_edit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt

@@ -8,7 +8,7 @@
               form                 nocall: form | nothing;
               form_id              form/id | template/id | nothing;
               portal               here/getPortalObject;
-              form_action          python: form and form.action not in ('', None) and portal.portal_membership.checkPermission('Modify portal content', here) and form.action or nothing;
+              form_action          python: form and form.getAction(here);
               local_parameter_list local_parameter_list | python: {};
               dummy                python: local_parameter_list.update({'object_uid': object_uid, 'object_path': object_path, 'form_id': form_id});
               title                python: '%s - %s' % (portal.Base_translateString(template.title_or_id()), here.getTitle());

product/ERP5Form/Form.py

@@ -41,6 +41,7 @@ from Products.ERP5Type import PropertySheet, Permissions
 from urllib import quote
 from Products.ERP5Type.Globals import DTMLFile, get_request
 from AccessControl import Unauthorized, ClassSecurityInfo
+from AccessControl.ZopeGuards import guarded_getattr
 from DateTime import DateTime
 from ZODB.POSException import ConflictError
 from zExceptions import Redirect
@@ -1292,6 +1293,23 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
       return str((self.pt, self.name, self.action, self.update_action,
                   self.encoding, self.stored_encoding, self.enctype))
 
+    def getAction(self, context):
+      action = self.action
+      if action:
+        try:
+          m = guarded_getattr(context, action)
+        except ConflictError:
+          raise
+        except Exception:
+          pass
+        else:
+          try:
+            check = m.checkGuard
+          except AttributeError:
+            return action
+          if check():
+            return action
+
 # utility function
 def get_field_meta_type_and_proxy_flag(field):
     if field.meta_type=='ProxyField':

[Jérome Perrin]

If we introduce a guard on Base_edit, this guard will cause an Unauthorized error in the case where user submits the form but no longer have Modify portal content permission and this part will no longer be executed to handle that case gracefully.