diff --git a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
index 53b2e0573af50b1bcefe5cd636606e48b182d705..aa2bc1ef5dd7324ec02b9762a6be8079786036ed 100644
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
@@ -466,16 +466,12 @@ def renderForm(traversed_document, form, response_dict, key_prefix=None, selecti
   field_errors = REQUEST.get('field_errors', {})
 
   #hardcoded
-  include_action = True
   if form.pt == 'form_dialog':
     action_to_call = "Base_callDialogMethod"
   else:
-    action_to_call = form.action
-  if (action_to_call == 'Base_edit') and (not portal.portal_membership.checkPermission('Modify portal content', traversed_document)):
-    # prevent allowing editing if user doesn't have permission
-    include_action = False
+    action_to_call = form.getAction(traversed_document)
 
-  if (include_action):
+  if action_to_call:
     # Form action
     response_dict['_actions'] = {
       'put': {
diff --git a/product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt b/product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt
index c63cf8e9829b2f545e70164f579086858183cf51..a38584dba64996a352b00962968f68985f26415b 100644
--- a/product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt
+++ b/product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt
@@ -8,7 +8,7 @@
               form                 nocall: form | nothing;
               form_id              form/id | template/id | nothing;
               portal               here/getPortalObject;
-              form_action          python: form and form.action not in ('', None) and portal.portal_membership.checkPermission('Modify portal content', here) and form.action or nothing;
+              form_action          python: form and form.getAction(here);
               local_parameter_list local_parameter_list | python: {};
               dummy                python: local_parameter_list.update({'object_uid': object_uid, 'object_path': object_path, 'form_id': form_id});
               title                python: '%s - %s' % (portal.Base_translateString(template.title_or_id()), here.getTitle());
diff --git a/product/ERP5Form/Form.py b/product/ERP5Form/Form.py
index b7d6a0b34ed7e4fa34e0dc3e3aca398909db9000..218e88e2f69b69b79d5da6d222342f5a9d91905a 100644
--- a/product/ERP5Form/Form.py
+++ b/product/ERP5Form/Form.py
@@ -41,6 +41,7 @@ from Products.ERP5Type import PropertySheet, Permissions
 from urllib import quote
 from Products.ERP5Type.Globals import DTMLFile, get_request
 from AccessControl import Unauthorized, ClassSecurityInfo
+from AccessControl.ZopeGuards import guarded_getattr
 from DateTime import DateTime
 from ZODB.POSException import ConflictError
 from zExceptions import Redirect
@@ -1292,6 +1293,22 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
       return str((self.pt, self.name, self.action, self.update_action,
                   self.encoding, self.stored_encoding, self.enctype))
 
+    def getAction(self, context):
+      action = self.action
+      if action:
+        try:
+          m = guarded_getattr(context, action)
+        except Unauthorized:
+          pass
+        else:
+          code = m.func_code
+          args = code.co_varnames[:code.co_argcount]
+          if (m(form_id=self.id, check_security=1) if 'form_id' in args else
+              m(check_security=1)) if 'check_security' in args else \
+             context.getPortalObject().portal_membership.checkPermission(
+                'Modify portal content', context):
+            return action
+
 # utility function
 def get_field_meta_type_and_proxy_flag(field):
     if field.meta_type=='ProxyField':
diff --git a/product/ERP5Type/patches/PythonScript.py b/product/ERP5Type/patches/PythonScript.py
index c252e40f520a21e903eadd7400cb84db1b67abb1..7d0ec06d3a939819cd60915010c4075dc0599913 100644
--- a/product/ERP5Type/patches/PythonScript.py
+++ b/product/ERP5Type/patches/PythonScript.py
@@ -82,8 +82,8 @@ def getRoles(ob):
 
 def _checkGuard(guard, ob):
   # returns 1 if guard passes against ob, else 0.
-  # TODO : implement TALES evaluation by defining an appropriate
-  # context.
+  # NOTE: Do not implement TALES evaluation like on workflow transition.
+  #       See also https://lab.nexedi.com/nexedi/erp5/merge_requests/133
   if guard.permissions:
     # Require at least one role for required roles for the given permission.
     u_roles = getRoles(ob)