From 40f9a0f421fbfa4de080d750c1719a130c5ab03b Mon Sep 17 00:00:00 2001
From: Nicolas Delaby <nicolas@nexedi.com>
Date: Fri, 4 Jun 2010 13:31:53 +0000
Subject: [PATCH] Add mechanism to avoid format permission checking for
 intermediate format which can happen during conversions. even if ODT => HTML
 is permitted, conversion raise Unauthorized because it needs access to raw
 format. This patch address this issue: inside convert no more checking are
 computed.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@35998 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5/mixin/document.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/product/ERP5/mixin/document.py b/product/ERP5/mixin/document.py
index ce046d630c..59f7faafa9 100644
--- a/product/ERP5/mixin/document.py
+++ b/product/ERP5/mixin/document.py
@@ -31,7 +31,10 @@ from AccessControl import ClassSecurityInfo, Unauthorized
 from Products.ERP5Type import Permissions
 from OFS.Image import Pdata
 from cStringIO import StringIO
+from Products.ERP5Type.TransactionalVariable import getTransactionalVariable
+
 _MARKER = []
+LOCK_PERMISSION_KEY = 'TRANSACTIONAL_VARIABLE_FORMAT_PERMISSION_LOCK_FLAG'
 
 class DocumentMixin:
   """
@@ -58,8 +61,14 @@ class DocumentMixin:
       string (ex. jpeg, html, text, txt, etc.)
       **kw can be various things - e.g. resolution
     """
-    self._checkConversionFormatPermission(format, **kw)
-    return self._convert(format, **kw)
+    transaction_variable = getTransactionalVariable(self.getPortalObject())
+    if LOCK_PERMISSION_KEY in transaction_variable:
+      del transaction_variable[LOCK_PERMISSION_KEY]
+    self._checkConversionFormatPermission(format, lock_checking=True, **kw)
+    result = self._convert(format, **kw)
+    if LOCK_PERMISSION_KEY in transaction_variable:
+      del transaction_variable[LOCK_PERMISSION_KEY]
+    return result
 
   def _convert(self, format, **kw):
     """Private method which make the transformation.
@@ -80,10 +89,15 @@ class DocumentMixin:
     else:
       return True
 
-  def _checkConversionFormatPermission(self, format, **kw):
+  def _checkConversionFormatPermission(self, format, lock_checking=False, **kw):
     """Private method to check permission when access specified format.
     This method raises
     """
+    transaction_variable = getTransactionalVariable(self.getPortalObject())
+    if transaction_variable.get(LOCK_PERMISSION_KEY, False):
+      # Permission already checked in convert with final format,
+      # do not check permission for intermediate formats
+      return True
     # XXX cache result in TV
     method = self._getTypeBasedMethod('checkConversionFormatPermission',
                  fallback_script_id='Document_checkConversionFormatPermission')
@@ -98,6 +112,7 @@ class DocumentMixin:
       raise Unauthorized('Document: user does not have enough permission'\
                          ' to access document in %s format' %\
                                                         (format or 'original'))
+    transaction_variable[LOCK_PERMISSION_KEY] = lock_checking
 
   security.declareProtected(Permissions.AccessContentsInformation,
                                                  'isSupportBaseDataConversion')
-- 
2.30.9