From 8ab637c402763d2fe792c68b3708b5c0c3ae4881 Mon Sep 17 00:00:00 2001
From: Helmut Merz <helmutm@cy55.de>
Date: Sat, 26 Apr 2014 15:52:28 +0200
Subject: [PATCH] allow for additional access control (without
 acquisition/inheritance) on queries and types via 'access_permission' option

---
 security/common.py | 27 +++++++++++++++++++++++++--
 type.py            |  2 +-
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/security/common.py b/security/common.py
index f1904ec..f87317a 100644
--- a/security/common.py
+++ b/security/common.py
@@ -36,6 +36,7 @@ from zope.security.management import getInteraction
 from zope.traversing.api import getName
 from zope.traversing.interfaces import IPhysicallyLocatable
 
+from cybertools.meta.interfaces import IOptions
 from loops.common import adapted
 from loops.interfaces import ILoopsObject, IConcept
 from loops.interfaces import IAssignmentEvent, IDeassignmentEvent
@@ -66,13 +67,35 @@ workspaceGroupsFolderName = 'gloops_ws'
 
 # checking and querying functions
 
+def getOption(obj, option, checkType=True):
+    opts = component.queryAdapter(adapted(obj), IOptions)
+    if opts is not None:
+        opt = opts(option, None)
+        if opt:
+            return opt[0]
+    if not checkType:
+        return None
+    typeMethod = getattr(obj, 'getType', None)
+    if typeMethod is not None:
+        opts = component.queryAdapter(adapted(typeMethod()), IOptions)
+        if opts is not None:
+            opt = opts(option, [None])
+            if opt:
+                return opt[0]
+    return None
+
 def canAccessObject(obj):
-    return canAccess(obj, 'title')
+    if not canAccess(obj, 'title'):
+        return False
+    perm = getOption(obj, 'access_permission')
+    if not perm:
+        return True
+    return checkPermission(perm, obj)
 
 def canListObject(obj, noCheck=False):
     if noCheck:
         return True
-    return canAccess(obj, 'title')
+    return canAccessObject(obj)
 
 def canAccessRestricted(obj):
     return checkPermission('loops.ViewRestricted', obj)
diff --git a/type.py b/type.py
index 0f9ffee..298e112 100644
--- a/type.py
+++ b/type.py
@@ -110,7 +110,7 @@ class LoopsType(BaseType):
     @Lazy
     def typeProvider(self):
         # TODO: unify this type attribute naming...
-        return self.context.resourceType
+        return getattr(self.context, 'resourceType', None)
 
     @Lazy
     def options(self):