[Erp5-report] r16972 - in /erp5/trunk/products/ERP5Type: Core/Folder.py ERP5Type.py

[nobody at svn.erp5.org]

Author: kazuhiko
Date: Fri Oct 12 10:40:05 2007
New Revision: 16972

URL: http://svn.erp5.org?rev=16972&view=rev
Log:
do not check 'Add portal content' permission if 'Add Permission' is set.

Modified:
    erp5/trunk/products/ERP5Type/Core/Folder.py
    erp5/trunk/products/ERP5Type/ERP5Type.py

Modified: erp5/trunk/products/ERP5Type/Core/Folder.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Core/Folder.py?rev=16972&r1=16971&r2=16972&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Core/Folder.py (original)
+++ erp5/trunk/products/ERP5Type/Core/Folder.py Fri Oct 12 10:40:05 2007
@@ -1220,10 +1220,6 @@
       hidden content types. It allows to be much faster when only the type id
       is needed.
     """
-    if not getSecurityManager().checkPermission(
-                      Permissions.AddPortalContent, self):
-      return []
-
     portal = self.getPortalObject()
 
     def _getVisibleAllowedContentTypeList():
@@ -1264,10 +1260,6 @@
     # permission that "Add portal content". For now, this is only the case for
     # Role Definition objects, but this shows that generally speaking, this is
     # not the right approach.
-    if not getSecurityManager().checkPermission(
-                      Permissions.AddPortalContent, self):
-      return []
-
     def _allowedContentTypes( portal_type=None, user=None, portal_path=None ):
       # Sort the list for convenience -yo
       # XXX This is not the best solution, because this does not take

Modified: erp5/trunk/products/ERP5Type/ERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/ERP5Type.py?rev=16972&r1=16971&r2=16972&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/ERP5Type.py (original)
+++ erp5/trunk/products/ERP5Type/ERP5Type.py Fri Oct 12 10:40:05 2007
@@ -58,7 +58,9 @@
 
 from TranslationProviderBase import TranslationProviderBase
 
-from zLOG import LOG
+from sys import exc_info
+from zLOG import LOG, ERROR
+from Products.CMFCore.exceptions import zExceptions_Unauthorized
 
 ERP5TYPE_SECURITY_GROUP_ID_GENERATION_SCRIPT = 'ERP5Type_asSecurityGroupId'
 
@@ -205,16 +207,39 @@
     #
     #   Agent methods
     #
-    security.declarePublic('isConstructionAllowed')
-    def isConstructionAllowed( self, container ):
-        """
-        Does the current user have the permission required in
-        order to construct an instance?
-        """
-        permission = self.permission
-        if permission and not _checkPermission( permission, container ):
-            return 0
-        return FactoryTypeInformation.isConstructionAllowed(self, container)
+    def _queryFactoryMethod(self, container, default=None):
+
+        if not self.product or not self.factory or container is None:
+            return default
+
+        # In case we aren't wrapped.
+        dispatcher = getattr(container, 'manage_addProduct', None)
+
+        if dispatcher is None:
+            return default
+
+        try:
+            p = dispatcher[self.product]
+        except AttributeError:
+            LOG('Types Tool', ERROR, '_queryFactoryMethod raised an exception',
+                error=exc_info())
+            return default
+
+        m = getattr(p, self.factory, None)
+
+        if m:
+            try:
+                # validate() can either raise Unauthorized or return 0 to
+                # mean unauthorized.
+                permission = self.permission
+                if permission and _checkPermission( permission, container ):
+                    return m
+                elif getSecurityManager().validate(p, p, self.factory, m):
+                    return m
+            except zExceptions_Unauthorized:  # Catch *all* Unauths!
+                pass
+
+        return default
 
     def _getFactoryMethod(self, container, check_security=1):
         if not self.product or not self.factory: