allow better control of create actions by checking 'AssignAsParent': check action permissions + related fixes

2013-01-28 16:00:06 +01:00 · 2013-01-28 16:00:06 +01:00 · 344a1d81e5
commit 344a1d81e5
parent d9a0f39f06
12 changed files with 56 additions and 30 deletions
--- a/README.txt
+++ b/README.txt
@ -2,8 +2,6 @@
 loops - Linked Objects for Organization and Processing Services
 ===============================================================
  ($Id$)
 The loops platform consists up of three basic types of objects:
 (1) concepts: simple interconnected objects usually representing
@ -612,7 +610,7 @@ Actions
  >>> view.controller = Controller(view, request)
  >>> #view.setupController()
-  >>> actions = view.getActions('portlet')
+  >>> actions = view.getAllowedActions('portlet')
  >>> len(actions)
  2
@ -849,7 +847,7 @@ In order to provide suitable links for viewing or editing a target you may
 ask a view which view and edit actions it supports. We directly use the
 target object's view here:
-  >>> actions = view.virtualTarget.getActions('object', page=view)
+  >>> actions = view.virtualTarget.getAllowedActions('object', page=view)
  >>> #actions[0].url
 'http://127.0.0.1/loops/views/m1/m11/m111/.target23'
--- a/browser/action.py
+++ b/browser/action.py
@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2012 Helmut Merz helmutm@cy55.de
+#  Copyright (c) 2013 Helmut Merz helmutm@cy55.de
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -129,6 +129,7 @@ actions.register('edit_object', 'portlet', DialogAction,
        viewName='edit_object.html',
        dialogName='edit',
        prerequisites=['registerDojoEditor'],
        permission='zope.ManageContent',
 )
 actions.register('edit_concept', 'portlet', DialogAction,
@ -137,6 +138,7 @@ actions.register('edit_concept', 'portlet', DialogAction,
        viewName='edit_concept.html',
        dialogName='edit',
        prerequisites=['registerDojoEditor'],
        permission='zope.ManageContent',
 )
 actions.register('create_concept', 'portlet', DialogAction,
@ -146,6 +148,7 @@ actions.register('create_concept', 'portlet', DialogAction,
        dialogName='createConcept',
        qualifier='create_concept',
        innerForm='inner_concept_form.html',
        permission='loops.AssignAsParent',
 )
 actions.register('create_subtype', 'portlet', DialogAction,
@ -155,4 +158,5 @@ actions.register('create_subtype', 'portlet', DialogAction,
        dialogName='createConcept',
        qualifier='subtype',
        innerForm='inner_concept_form.html',
        permission='loops.AssignAsParent',
 )
--- a/browser/common.py
+++ b/browser/common.py
@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2012 Helmut Merz helmutm@cy55.de
+#  Copyright (c) 2013 Helmut Merz helmutm@cy55.de
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -45,7 +45,7 @@ from zope.publisher.browser import applySkin
 from zope.publisher.interfaces.browser import IBrowserSkinType, IBrowserView
 from zope import schema
 from zope.schema.vocabulary import SimpleTerm
-from zope.security import canAccess, checkPermission
+from zope.security import canAccess
 from zope.security.interfaces import ForbiddenAttribute, Unauthorized
 from zope.security.proxy import removeSecurityProxy
 from zope.traversing.browser import absoluteURL
@ -67,6 +67,7 @@ from loops.i18n.browser import I18NView
 from loops.interfaces import IResource, IView, INode, ITypeConcept
 from loops.organize.tracking import access
 from loops.resource import Resource
 from loops.security.common import checkPermission
 from loops.security.common import canAccessObject, canListObject, canWriteObject
 from loops.type import ITypeConcept
 from loops import util
@ -706,6 +707,16 @@ class BaseView(GenericView, I18NView):
        """
        return []
    def getAllowedActions(self, category='object', page=None, target=None):
        result = []
        for act in self.getActions(category, page=page, target=target):
            if act.permission is not None:
                ctx = (target is not None and target.context) or self.context
                if not checkPermission(act.permission, ctx):
                    continue
            result.append(act)
        return result
    @Lazy
    def showObjectActions(self):
        return not IUnauthenticatedPrincipal.providedBy(self.request.principal)
--- a/browser/node.py
+++ b/browser/node.py
@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2012 Helmut Merz helmutm@cy55.de
+#  Copyright (c) 2013 Helmut Merz helmutm@cy55.de
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -51,17 +51,18 @@ from cybertools.typology.interfaces import IType, ITypeManager
 from cybertools.util.jeep import Jeep
 from cybertools.xedit.browser import ExternalEditorView
 from loops.browser.action import actions, DialogAction
 from loops.browser.common import BaseView
 from loops.browser.concept import ConceptView
 from loops.common import adapted, AdapterBase, baseObject
 from loops.i18n.browser import i18n_macros, LanguageInfo
 from loops.interfaces import IConcept, IResource, IDocument, IMediaAsset, INode
 from loops.interfaces import IViewConfiguratorSchema
 from loops.resource import MediaAsset
 from loops import util
 from loops.util import _
 from loops.browser.common import BaseView
 from loops.browser.concept import ConceptView
 from loops.organize.interfaces import IPresence
 from loops.organize.tracking import access
 from loops.resource import MediaAsset
 from loops.security.common import canWriteObject
 from loops import util
 from loops.util import _
 from loops.versioning.util import getVersion
@ -149,13 +150,15 @@ class NodeView(BaseView):
                        priority=20)
        cm.register('portlet_left', 'navigation', title='Navigation',
                    subMacro=node_macros.macros['menu'])
-        if canWrite(self.context, 'title') or (
+        if canWriteObject(self.context) or (
                # TODO: is this useful in any case?
                self.virtualTargetObject is not None and
-                    canWrite(self.virtualTargetObject, 'title')):
+                    canWriteObject(self.virtualTargetObject)):
            # check if there are any available actions;
            # store list of actions in macro object (evaluate only once)
-            actions = [act for act in self.getActions('portlet') if act.condition]
+            actions = [act for act in self.getAllowedActions('portlet',
                                            target=self.virtualTarget) 
                            if act.condition]
            if actions:
                cm.register('portlet_right', 'actions', title=_(u'Actions'),
                            subMacro=node_macros.macros['actions'],
@ -534,7 +537,7 @@ class NodeView(BaseView):
            return self.makeTargetUrl(self.url, util.getUidForObject(target),
                                      target.title)
-    def getActions(self, category='object', target=None):
+    def getActions(self, category='object', page=None, target=None):
        actions = []
        #self.registerDojo()
        self.registerDojoFormAll()
@ -557,9 +560,11 @@ class NodeView(BaseView):
                      description='Open concept map editor in new window',
                      url=cmeUrl, target=target))
        if self.checkAction('create_resource', 'portlet', target):
-            actions.append(DialogAction(self, title='Create Resource...',
+            actions.append(DialogAction(self, name='create_resource',
                      title='Create Resource...',
                      description='Create a new resource object.',
-                      page=self, target=target))
+                      page=self, target=target,
                      permission='zope.ManageContent'))
        return actions
    actions = dict(portlet=getPortletActions)
--- a/browser/node_macros.pt
+++ b/browser/node_macros.pt
@ -293,7 +293,8 @@
 <metal:actions define-macro="object_actions">
  <div id="object-actions" class="object-actions"
       tal:define="target nocall:target|nothing;">
-    <tal:actions repeat="action python:view.getActions('object', target=target)">
+    <tal:actions repeat="action python:
                    view.getAllowedActions('object', target=target)">
      <metal:action use-macro="action/macro" />
    </tal:actions>
  </div>
@ -322,7 +323,7 @@
    <div><a href="logout.html?nextURL=login.html"
            tal:attributes="href string:logout.html?nextURL=${view/menu/url}"
            i18n:translate="">Log out</a></div>
-    <tal:actions repeat="action python:view.getActions('personal')">
+    <tal:actions repeat="action python:view.getAllowedActions('personal')">
      <metal:action use-macro="action/macro" />
    </tal:actions>
 </metal:actions>
--- a/compound/blog/browser.py
+++ b/compound/blog/browser.py
@ -52,6 +52,7 @@ actions.register('createBlogPost', 'portlet', DialogAction,
        fixedType=True,
        innerForm='inner_concept_form.html',
        prerequisites=['registerDojoDateWidget'], # +'registerDojoTextWidget'?
        permission='loops.AssignAsParent',
 )
--- a/knowledge/browser.py
+++ b/knowledge/browser.py
@ -50,6 +50,7 @@ actions.register('createTopic', 'portlet', DialogAction,
        typeToken='.loops/concepts/topic',
        fixedType=True,
        innerForm='inner_concept_form.html',
        permission='loops.AssignAsParent',
 )
 actions.register('editTopic', 'portlet', DialogAction,
@ -57,6 +58,7 @@ actions.register('editTopic', 'portlet', DialogAction,
        description=_(u'Modify topic.'),
        viewName='edit_concept.html',
        dialogName='editTopic',
        permission='zope.ManageContent',
 )
 actions.register('createQualification', 'portlet', DialogAction,
@ -66,6 +68,7 @@ actions.register('createQualification', 'portlet', DialogAction,
        dialogName='createQualification',
        prerequisites=['registerDojoDateWidget', 'registerDojoNumberWidget',
                       'registerDojoTextarea'],
        permission='loops.AssignAsParent',
 )
--- a/organize/browser/event.py
+++ b/organize/browser/event.py
@ -56,6 +56,7 @@ actions.register('createEvent', 'portlet', DialogAction,
        typeToken='.loops/concepts/event',
        fixedType=True,
        prerequisites=['registerDojoDateWidget'],
        permission='loops.AssignAsParent',
 )
 actions.register('editEvent', 'portlet', DialogAction,
--- a/organize/stateful/configure.zcml
+++ b/organize/stateful/configure.zcml
@ -27,7 +27,7 @@
  <zope:adapter
        factory="loops.organize.stateful.base.SimplePublishable"
-        name="simple_publishing" trusted="True" />
+        name="simple_publishing" />
  <zope:class class="loops.organize.stateful.base.SimplePublishable">
    <require permission="zope.View"
             interface="cybertools.stateful.interfaces.IStateful" />
@ -41,7 +41,7 @@
  <zope:adapter
        factory="loops.organize.stateful.task.StatefulTask"
-        name="task_states" trusted="True" />
+        name="task_states" />
  <zope:class class="loops.organize.stateful.task.StatefulTask">
    <require permission="zope.View"
             interface="cybertools.stateful.interfaces.IStateful" />
@ -55,7 +55,7 @@
  <zope:adapter
        factory="loops.organize.stateful.task.PublishableTask"
-        name="publishable_task" trusted="True" />
+        name="publishable_task" />
  <zope:class class="loops.organize.stateful.task.PublishableTask">
    <require permission="zope.View"
             interface="cybertools.stateful.interfaces.IStateful" />
@ -69,7 +69,7 @@
  <zope:adapter
        factory="loops.organize.stateful.quality.ClassificationQualityCheckable"
-        name="classification_quality" trusted="True" />
+        name="classification_quality" />
  <zope:class class="loops.organize.stateful.quality.ClassificationQualityCheckable">
    <require permission="zope.View"
             interface="cybertools.stateful.interfaces.IStateful" />
--- a/security/common.py
+++ b/security/common.py
@ -75,7 +75,7 @@ def canListObject(obj, noCheck=False):
    return canAccess(obj, 'title')
 def canWriteObject(obj):
-    return canWrite(obj, 'title')
+    return canWrite(obj, 'title') or canAssignAsParent(obj) 
 def canEditRestricted(obj):
    return checkPermission('loops.EditRestricted', obj)
--- a/security/interfaces.py
+++ b/security/interfaces.py
@ -1,5 +1,5 @@
 #
-#  Copyright (c) 2009 Helmut Merz helmutm@cy55.de
+#  Copyright (c) 2013 Helmut Merz helmutm@cy55.de
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -18,8 +18,6 @@
 """
 Interfaces for loops security management.
 $Id$
 """
 from zope.interface import Interface, Attribute
@ -35,6 +33,10 @@ class ISecuritySetter(Interface):
            context object.
        """
    def setStateSecurity():
        """ Set the security according to the state(s) of the object.
        """
    def setDefaultRolePermissions():
        """ Set some default role permission assignments (grants) on the
            context object.
--- a/security/setter.py
+++ b/security/setter.py
@ -123,7 +123,6 @@ class LoopsObjectSecuritySetter(BaseSecuritySetter):
        rpm = self.rolePermissionManager
        for p, r, s in rpm.getRolesAndPermissions():
            setRolePermission(rpm, p, r, Unset)
        self.setStateSecurity()
    def setStateSecurity(self):
        statesDefs = (self.globalOptions('organize.stateful.concept', []) +
@ -151,6 +150,7 @@ class LoopsObjectSecuritySetter(BaseSecuritySetter):
                    settings[(p, r)] = s
        self.setDefaultRolePermissions()
        self.setRolePermissions(settings)
        self.setStateSecurity()
    def setRolePermissions(self, settings):
        for (p, r), s in settings.items():