Check action guard instead of hardcoding required permission for object_view forms

Before this commit, the condition to display the 'Save' button on object_view
actions was to check whether the user has 'Modify portal content' permission.

This check is moved to all scripts that are used as form action
(e.g. Base_edit), using guards.

Now, it's possible to add forms that can be saved under a different condition
than having 'Modify portal content' permission.

bt5/erp5_content_translation/SkinTemplateItem/portal_skins/erp5_content_translation/Base_editContentTranslationMessage.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', dialog_id=\'\', ignore_layout=0, editable_mode=1, silent_mode=0, field_prefix=\'my_\'</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editContentTranslationMessage</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py

@@ -427,16 +427,12 @@ def renderForm(traversed_document, form, response_dict, key_prefix=None, selecti
   field_errors = REQUEST.get('field_errors', {})
 
   #hardcoded
-  include_action = True
   if form.pt == 'form_dialog':
     action_to_call = "Base_callDialogMethod"
   else:
-    action_to_call = form.action
-  if (action_to_call == 'Base_edit') and (not portal.portal_membership.checkPermission('Modify portal content', traversed_document)):
-    # prevent allowing editing if user doesn't have permission
-    include_action = False
+    action_to_call = form.getAction(traversed_document)
 
-  if (include_action):
+  if action_to_call:
     # Form action
     response_dict['_actions'] = {
       'put': {

bt5/erp5_knowledge_pad/SkinTemplateItem/portal_skins/erp5_knowledge_pad/KnowledgeBox_baseEdit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, form_fields_main_prefix, box_relative_url, gadget_redirect_url=None, synchronous_mode=True</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>KnowledgeBox_baseEdit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_run_my_doc/SkinTemplateItem/portal_skins/erp5_run_my_doc/Review_editAnnotationList.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>listbox_uid</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Review_editAnnotationList</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

bt5/erp5_simulation/SkinTemplateItem/portal_skins/erp5_simulation/Base_editConfiguration.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id=\'view\', selection_index=0, selection_name=\'\', ignore_layout=0, editable_mode=1</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editConfiguration</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_edit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', dialog_id=\'\', ignore_layout=0, editable_mode=1, silent_mode=0, field_prefix=\'my_\', key_prefix=None, listbox_edit=None, message_only=False</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_edit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Base_editTranslationDomainList.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, *args, **kw</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Base_editTranslationDomainList</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_core/Predicate_edit.xml

@@ -52,6 +52,12 @@
             <key> <string>_params</string> </key>
             <value> <string>form_id, selection_index=0, selection_name=\'\', ignore_layout=0, editable_mode=1</string> </value>
         </item>
+        <item>
+            <key> <string>guard</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
         <item>
             <key> <string>id</string> </key>
             <value> <string>Predicate_edit</string> </value>
@@ -59,4 +65,21 @@
       </dictionary>
     </pickle>
   </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Guard" module="Products.DCWorkflow.Guard"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>permissions</string> </key>
+            <value>
+              <tuple>
+                <string>Modify portal content</string>
+              </tuple>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
 </ZopeData>

product/ERP5/bootstrap/erp5_xhtml_style/SkinTemplateItem/portal_skins/erp5_xhtml_style/view_main.zpt

@@ -8,7 +8,7 @@
               form                 nocall: form | nothing;
               form_id              form/id | template/id | nothing;
               portal               here/getPortalObject;
-              form_action          python: form and form.action not in ('', None) and portal.portal_membership.checkPermission('Modify portal content', here) and form.action or nothing;
+              form_action          python: form and form.getAction(here);
               local_parameter_list local_parameter_list | python: {};
               dummy                python: local_parameter_list.update({'object_uid': object_uid, 'object_path': object_path, 'form_id': form_id});
               title                python: '%s - %s' % (portal.Base_translateString(template.title_or_id()), here.getTitle());

product/ERP5Form/Form.py

@@ -41,6 +41,7 @@ from Products.ERP5Type import PropertySheet, Permissions
 from urllib import quote
 from Products.ERP5Type.Globals import DTMLFile, get_request
 from AccessControl import Unauthorized, ClassSecurityInfo
+from AccessControl.ZopeGuards import guarded_getattr
 from DateTime import DateTime
 from ZODB.POSException import ConflictError
 from zExceptions import Redirect
@@ -1292,6 +1293,23 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
       return str((self.pt, self.name, self.action, self.update_action,
                   self.encoding, self.stored_encoding, self.enctype))
 
+    def getAction(self, context):
+      action = self.action
+      if action:
+        try:
+          m = guarded_getattr(context, action)
+        except ConflictError:
+          raise
+        except Exception:
+          pass
+        else:
+          try:
+            check = m.checkGuard
+          except AttributeError:
+            return action
+          if check():
+            return action
+
 # utility function
 def get_field_meta_type_and_proxy_flag(field):
     if field.meta_type=='ProxyField':