in getViewPermissionOwner, check that the owner can view the document, not that

the Owner role has the view permission.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@15739 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5/tests/testBase.py

@@ -73,6 +73,8 @@ class TestBase(ERP5TypeTestCase):
   not_related_to_temp_object_property_id = "string_index"
   not_related_to_temp_object_property_value = "a_great_index"
   
+  username = 'rc'
+
   def getTitle(self):
     return "Base"
 
@@ -83,8 +85,8 @@ class TestBase(ERP5TypeTestCase):
 
   def login(self):
     uf = self.getPortal().acl_users
-    uf._doAddUser('rc', '', ['Manager'], [])
-    user = uf.getUserById('rc').__of__(uf)
+    uf._doAddUser(self.username, '', ['Manager'], [])
+    user = uf.getUserById(self.username).__of__(uf)
     newSecurityManager(None, user)
 
   def afterSetUp(self):
@@ -961,6 +963,26 @@ class TestBase(ERP5TypeTestCase):
         props['chain_%s' % id] = ','.join(wf_ids)
       pw.manage_changeWorkflows('', props = props)
 
+  def test_getViewPermissionOwnerDefault(self):
+    """Test getViewPermissionOwner method behaviour"""
+    portal = self.getPortal()
+    obj = portal.organisation_module.newContent(portal_type='Organisation')
+    self.assertEquals(self.username, obj.getViewPermissionOwner())
+
+  def test_getViewPermissionOwnerNoOwnerLocalRole(self):
+    # the actual owner doesn't have Owner local role
+    portal = self.getPortal()
+    obj = portal.organisation_module.newContent(portal_type='Organisation')
+    obj.manage_delLocalRoles(self.username)
+    self.assertEquals(self.username, obj.getViewPermissionOwner())
+
+  def test_getViewPermissionOwnerNoViewPermission(self):
+    # the owner cannot view the object
+    portal = self.getPortal()
+    obj = portal.organisation_module.newContent(portal_type='Organisation')
+    obj.manage_permission('View', [], 0)
+    self.assertEquals(None, obj.getViewPermissionOwner())
+
 
 class TestERP5PropertyManager(unittest.TestCase):
   """Tests for ERP5PropertyManager.

product/ERP5Catalog/tests/testERP5Catalog.py

@@ -68,6 +68,7 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
   # Different variables used for this test
   run_all_test = 1
   quiet = 0
+  username = 'seb'
 
   def afterSetUp(self):
     self.login()
@@ -85,8 +86,8 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
 
   def login(self):
     uf = self.getPortal().acl_users
-    uf._doAddUser('seb', '', ['Manager'], [])
-    user = uf.getUserById('seb').__of__(uf)
+    uf._doAddUser(self.username, '', ['Manager'], [])
+    user = uf.getUserById(self.username).__of__(uf)
     newSecurityManager(None, user)
 
   def getSQLPathList(self,connection_id=None):
@@ -1802,6 +1803,23 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
     sql_src = self.getCatalogTool()(src__=1,**catalog_kw)
     self.failUnless('TRUNCATE(catalog.uid,2) = 2567.54' in sql_src)
 
+  def test_SearchOnOwner(self):
+    # owner= can be used a search key in the catalog to have all documents for
+    # a specific owner and on which he have the View permission.
+    obj = self._makeOrganisation(title='The Document')
+    obj2 = self._makeOrganisation(title='The Document')
+    obj2.manage_permission('View', [], 0)
+    obj2.reindexObject()
+    get_transaction().commit()
+    self.tic()
+    ctool = self.getCatalogTool()
+    self.assertEquals([obj], [x.getObject() for x in
+                                   ctool(title='The Document',
+                                         owner=self.username)])
+    self.assertEquals([], [x.getObject() for x in
+                                   ctool(title='The Document',
+                                         owner='somebody else')])
+
 if __name__ == '__main__':
     framework()
 else:

product/ERP5Type/Base.py

@@ -1432,13 +1432,12 @@ class Base( CopyContainer,
   security.declareProtected( Permissions.AccessContentsInformation, 'getViewPermissionOwner' )
   def getViewPermissionOwner(self):
     """
-      Returns the user ID of the owner if Owner role
-      has View permission. Returns None else.
+      Returns the user ID of the owner if this user has View permission,
+      otherwise returns None.
     """
-    path, user_id = self.getOwnerTuple()
-    if 'Owner' in rolesForPermissionOn(Permissions.View, self):
-      path, user_id = self.getOwnerTuple()
-      return user_id
+    owner = self.getWrappedOwner()
+    if owner is not None and owner.has_permission(Permissions.View, self):
+      return str(owner)
     return None
 
   # Private accessors for the implementation of relations based on