Allow to force user authentication.

Use the HalRestricted skin selection to prevent anonymous user to access the API.

This allow the JS application to be informed that the user is not authenticated (and so, it can prevent allDocs call without results).

Consider this code as a proof of concept which should be instead be done at PAS level.

Restricted access on WebSection level can not be done currently, as it will redirect the query to the ERP5 login_form page template.

bt5/erp5_hal_json_style/RegisteredSkinSelectionTemplateItem/registered_skin_selection.xml

 <registered_skin_selection>
+ <skin_folder_selection>
+  <skin_folder>erp5_hal_json_restricted_style</skin_folder>
+  <skin_selection>HalRestricted</skin_selection>
+ </skin_folder_selection>
  <skin_folder_selection>
   <skin_folder>erp5_hal_json_style</skin_folder>
-  <skin_selection>Hal</skin_selection>
+  <skin_selection>HalRestricted,Hal</skin_selection>
  </skin_folder_selection>
  <skin_folder_selection>
   <skin_folder>erp5_xhtml_style</skin_folder>
-  <skin_selection>Hal</skin_selection>
+  <skin_selection>HalRestricted,Hal</skin_selection>
  </skin_folder_selection>
 </registered_skin_selection>
\ No newline at end of file

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_restricted_style.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Folder" module="OFS.Folder"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_local_properties</string> </key>
+            <value>
+              <tuple>
+                <dictionary>
+                  <item>
+                      <key> <string>id</string> </key>
+                      <value> <string>business_template_skin_layer_priority</string> </value>
+                  </item>
+                  <item>
+                      <key> <string>type</string> </key>
+                      <value> <string>float</string> </value>
+                  </item>
+                </dictionary>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>_objects</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>business_template_skin_layer_priority</string> </key>
+            <value> <float>99.5</float> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>erp5_hal_json_restricted_style</string> </value>
+        </item>
+        <item>
+            <key> <string>title</string> </key>
+            <value> <string></string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_restricted_style/ERP5Document_getHateoas.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_body</string> </key>
+            <value> <string># Manually force restricted mode in the ERP5Document_getHateoas\n
+# Can not be done quickly with Security handling, as it redirects the request to the login form\n
+\n
+new_skin_name = "Hal"\n
+context.getPortalObject().portal_skins.changeSkin(new_skin_name)\n
+if REQUEST is None:\n
+  REQUEST = context.REQUEST\n
+REQUEST.set(\'portal_skin\', new_skin_name)\n
+\n
+return context.ERP5Document_getHateoas(\n
+  REQUEST=REQUEST,\n
+  response=response,\n
+  view=view,\n
+  mode=mode,\n
+  query=query,\n
+  select_list=select_list,\n
+  limit=limit,\n
+  form=form,\n
+  relative_url=relative_url,\n
+  restricted=1\n
+)\n
+</string> </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Document_getHateoas</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.xml

@@ -344,7 +344,7 @@ sql_catalog = portal.portal_catalog.getSQLCatalog()\n
 is_web_mode = (context.REQUEST.get(\'current_web_section\', None) is not None) or context.isWebMode()\n
 # is_web_mode =  traversed_document.isWebMode()\n
 if is_web_mode:\n
-  site_root = context.getWebSiteValue()\n
+  site_root = context.REQUEST.get(\'current_web_section\', context.getWebSiteValue())\n
 else:\n
   site_root = portal\n
 \n
@@ -386,8 +386,10 @@ result_dict = {\n
   }\n
 }\n
 \n
+if (restricted == 1) and (portal.portal_membership.isAnonymousUser()):\n
+  response.setStatus(401)\n
 \n
-if mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):\n
+elif mime_type != traversed_document.Base_handleAcceptHeader([mime_type]):\n
   response.setStatus(406)\n
   return ""\n
 \n
@@ -735,7 +737,7 @@ return json.dumps(result_dict, indent=2)\n
         </item>
         <item>
             <key> <string>_params</string> </key>
-            <value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None</string> </value>
+            <value> <string>REQUEST=None, response=None, view=None, mode=\'root\', query=None, select_list=None, limit=None, form=None, relative_url=None, restricted=0</string> </value>
         </item>
         <item>
             <key> <string>id</string> </key>

bt5/erp5_hal_json_style/bt/revision

-21
\ No newline at end of file
+22
\ No newline at end of file

bt5/erp5_hal_json_style/bt/template_registered_skin_selection_list

+erp5_hal_json_restricted_style | HalRestricted
 erp5_hal_json_style | Hal
-erp5_xhtml_style | Hal
\ No newline at end of file
+erp5_hal_json_style | HalRestricted
+erp5_xhtml_style | Hal
+erp5_xhtml_style | HalRestricted
\ No newline at end of file

bt5/erp5_hal_json_style/bt/template_skin_id_list

+erp5_hal_json_restricted_style
 erp5_hal_json_style
\ No newline at end of file