[Erp5-report] r9431 - /erp5/trunk/products/ERP5Type/Document/Folder.py

nobody at svn.erp5.org nobody at svn.erp5.org
Fri Aug 25 13:38:19 CEST 2006 

Author: jerome
Date: Fri Aug 25 13:38:17 2006
New Revision: 9431

URL: http://svn.erp5.org?rev=9431&view=rev
Log:
explain problem with allowedContentTypes caching strategy and make a quick and dirty workaround


Modified:
    erp5/trunk/products/ERP5Type/Document/Folder.py

Modified: erp5/trunk/products/ERP5Type/Document/Folder.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Document/Folder.py?rev=9431&r1=9430&r2=9431&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Document/Folder.py (original)
+++ erp5/trunk/products/ERP5Type/Document/Folder.py Fri Aug 25 13:38:17 2006
@@ -650,12 +650,24 @@
   # Optimized Menu System
   security.declarePublic('allowedContentTypes')
   def allowedContentTypes( self ):
-    """
-      List portal_types which can be added in this folder / object.
-      Cache results. This requires restarting Zope to update values.
-    """ 
+    """ List portal_types which can be added in this folder / object.
+    Cache results.
+    """
+    # if we don't have add portal content permission, return directly.
+    # this prevents returning cached allowed types when the user no longer have
+    # the permission to any content type. (security definitions in workflows
+    # usually remove some permission once an object is "Valid")
+    # This also prevents filling the cache with an empty list, when the user
+    # does not have the permission to add any content yet.
+
+    # XXX this works just fine, unless some objects can be added with another
+    # permission that "Add portal content". For now, this is only the case for
+    # Role Definition objects, but this shows that generally speaking, this is
+    # not the right approach.
     if not getSecurityManager().checkPermission(
-                      Permissions.AddPortalContent, self):
+                      Permissions.AddPortalContent, self) and\
+       not getSecurityManager().checkPermission(
+                      Permissions.ChangeLocalRoles, self):
       return []
     
     def _allowedContentTypes( portal_type=None, user=None, portal_path=None ):

More information about the Erp5-report mailing list