From 450e3622e9740821fc7fd1d72565527df5334b1e Mon Sep 17 00:00:00 2001
From: Georgios Dagkakis <georgios.dagkakis@nexedi.com>
Date: Mon, 5 Aug 2019 15:40:16 +0000
Subject: [PATCH] erp5_hal_json_style: Fix default_module calculation when we
 obtain worklist data

'only_visible' in essence checks 'Add portal content',
But here we care for View permission really, since user can have worklist in a document
even if he/she does not have the rights to add content to the module.
---
 .../erp5_hal_json_style/ERP5Document_getHateoas.py         | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
index 8ddec3b580..a0b2ac1676 100644
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
@@ -2166,6 +2166,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
       response.setStatus(405)
       return ""
     action_list = portal.portal_workflow.WorkflowTool_listActionParameterList()
+    checkPermission = portal.Base_checkPermission
     work_list = []
     for action in action_list:
       query = sql_catalog.buildQuery(action['query'])\
@@ -2193,13 +2194,13 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
 
         for portal_type in portal_type_list:
           if (worklist_module_id is None):
-            worklist_module_id = portal.getDefaultModuleId(portal_type, default=None, only_visible=True)
-          elif (worklist_module_id != portal.getDefaultModuleId(portal_type, default=None, only_visible=True)):
+            worklist_module_id = portal.getDefaultModuleId(portal_type, default=None, only_visible=False)
+          elif (worklist_module_id != portal.getDefaultModuleId(portal_type, default=None, only_visible=False)):
             worklist_module_id = None
           if worklist_module_id is None:
             break
 
-        if (worklist_module_id is not None):
+        if (worklist_module_id is not None and checkPermission(worklist_module_id, 'View')):
           worklist_dict['module'] = default_document_uri_template % {
             "relative_url": worklist_module_id
           }
-- 
2.30.9