From 450e3622e9740821fc7fd1d72565527df5334b1e Mon Sep 17 00:00:00 2001 From: Georgios Dagkakis <georgios.dagkakis@nexedi.com> Date: Mon, 5 Aug 2019 15:40:16 +0000 Subject: [PATCH] erp5_hal_json_style: Fix default_module calculation when we obtain worklist data 'only_visible' in essence checks 'Add portal content', But here we care for View permission really, since user can have worklist in a document even if he/she does not have the rights to add content to the module. --- .../erp5_hal_json_style/ERP5Document_getHateoas.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py index 8ddec3b580..a0b2ac1676 100644 --- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py +++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py @@ -2166,6 +2166,7 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None, response.setStatus(405) return "" action_list = portal.portal_workflow.WorkflowTool_listActionParameterList() + checkPermission = portal.Base_checkPermission work_list = [] for action in action_list: query = sql_catalog.buildQuery(action['query'])\ @@ -2193,13 +2194,13 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None, for portal_type in portal_type_list: if (worklist_module_id is None): - worklist_module_id = portal.getDefaultModuleId(portal_type, default=None, only_visible=True) - elif (worklist_module_id != portal.getDefaultModuleId(portal_type, default=None, only_visible=True)): + worklist_module_id = portal.getDefaultModuleId(portal_type, default=None, only_visible=False) + elif (worklist_module_id != portal.getDefaultModuleId(portal_type, default=None, only_visible=False)): worklist_module_id = None if worklist_module_id is None: break - if (worklist_module_id is not None): + if (worklist_module_id is not None and checkPermission(worklist_module_id, 'View')): worklist_dict['module'] = default_document_uri_template % { "relative_url": worklist_module_id } -- 2.30.9