From 09b75367a72b9931ceecc9a92f01dfcd76c1ad23 Mon Sep 17 00:00:00 2001
From: Helmut Merz <helmutm@cy55.de>
Date: Sun, 19 Apr 2015 09:28:30 +0200
Subject: [PATCH] more control on propagation of role permissions via option

---
 security/setter.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/setter.py b/security/setter.py
index d185b98..3f539d5 100644
--- a/security/setter.py
+++ b/security/setter.py
@@ -151,7 +151,8 @@ class LoopsObjectSecuritySetter(BaseSecuritySetter):
         for parent in self.parents:
             if parent == self.baseObject:
                 continue
-            if getOption(parent, 'security.no_propagate', checkType=False):
+            if getOption(parent, 'security.no_propagate_rolepermissions', 
+                         checkType=False):
                 continue
             secProvider = parent
             wi = parent.workspaceInformation
@@ -234,14 +235,20 @@ class ConceptSecuritySetter(LoopsObjectSecuritySetter):
 
     adapts(IConceptSchema)
 
+    @Lazy
+    def noPropagateRolePermissions(self):
+        return getOption(self.baseObject, 'security.no_propagate_rolepermissions', 
+                         checkType=False)
+
     def setAcquiredSecurity(self, relation, revert=False, updated=None):
         if updated and relation.second in updated:
             return
         if relation.predicate not in self.acquiringPredicates:
             return
         setter = ISecuritySetter(adapted(relation.second))
-        setter.setDefaultRolePermissions()
-        setter.acquireRolePermissions()
+        if not self.noPropagateRolePermissions:
+            setter.setDefaultRolePermissions()
+            setter.acquireRolePermissions()
         setter.acquirePrincipalRoles()
         #wi = baseObject(self.context).workspaceInformation
         #if wi and not wi.propagateParentSecurity: