Use the Iterate permissions instead of CMF core permissions

news/67.bugfix

@@ -0,0 +1,2 @@
+Use the Iterate permissions instead of CMF core permissions to support
+customizing the policy. [rpatterson]

plone/app/iterate/base.py

@@ -28,13 +28,17 @@
 
 from Acquisition import aq_inner
 from Acquisition import aq_parent
+from AccessControl import SpecialUsers
+
 from plone.app.iterate import interfaces
 from plone.app.iterate.event import BeforeCheckoutEvent
 from plone.app.iterate.event import CancelCheckoutEvent
 from plone.app.iterate.event import CheckoutEvent
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
 from plone.app.iterate.interfaces import IObjectCopier
 from plone.app.iterate.util import get_storage
+from plone import api
+
 from Products.CMFCore import interfaces as cmf_ifaces
 from Products.CMFCore.utils import getToolByName
 from zope import component
@@ -151,10 +155,12 @@ def _removeDuplicateReferences(self, item, backrefs=False):
     def _copyBaseline(self, container):
         # copy the context from source to the target container
         source_container = aq_parent(aq_inner(self.context))
-        clipboard = source_container.manage_copyObjects([self.context.getId()])
-        result = container.manage_pasteObjects(clipboard)
+        with api.env._adopt_user(SpecialUsers.system):
+            clipboard = source_container.manage_copyObjects(
+                [self.context.getId()])
+            result = container.manage_pasteObjects(clipboard)
 
         # get a reference to the working copy
         target_id = result[0]['new_id']
         target = container._getOb(target_id)
-        return target
+        return target

plone/app/iterate/browser/configure.zcml

@@ -27,7 +27,7 @@
         name="content-checkin"
         class=".checkin.Checkin"
         template="checkin.pt"
-        permission="cmf.ModifyPortalContent"
+        permission="plone.app.iterate.CheckInContent"
         />
 
     <browser:page

plone/app/iterate/browser/control.py

@@ -29,7 +29,7 @@
 from plone.memoize.view import memoize
 from Products.Five.browser import BrowserView
 
-import Products.CMFCore.permissions
+from .. import permissions
 
 
 class Control(BrowserView):
@@ -62,11 +62,8 @@ def checkin_allowed(self):
         if original is None:
             return False
 
-        can_modify = checkPermission(
-            Products.CMFCore.permissions.ModifyPortalContent,
-            original,
-        )
-        if not can_modify:
+        can_check_in = checkPermission(permissions.CheckinPermission, original)
+        if not can_check_in:
             return False
 
         return True
@@ -75,6 +72,7 @@ def checkout_allowed(self):
         """Check if a checkout is allowed.
         """
         context = aq_inner(self.context)
+        checkPermission = getSecurityManager().checkPermission
 
         if not interfaces.IIterateAware.providedBy(context):
             return False
@@ -94,6 +92,11 @@ def checkout_allowed(self):
         if policy.getBaseline() is not None:
             return False
 
+        can_check_out = checkPermission(
+            permissions.CheckoutPermission, context)
+        if not can_check_out:
+            return False
+
         return True
 
     @memoize

plone/app/iterate/browser/info.py

@@ -5,10 +5,12 @@
 
 from AccessControl import getSecurityManager
 from DateTime import DateTime
+
 from plone.app.iterate.interfaces import IBaseline
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
 from plone.app.iterate.interfaces import keys
-from plone.app.iterate.permissions import CheckoutPermission
+from plone.app.iterate import permissions
+
 from plone.memoize.instance import memoize
 from Products.CMFCore.permissions import ModifyPortalContent
 from Products.CMFCore.utils import getToolByName
@@ -92,7 +94,7 @@ def properties(self):
             return {}
 
     def _getReference(self):
-        raise NotImplemented
+        raise NotImplementedError()
 
 
 class BaselineInfoViewlet(BaseInfoViewlet):
@@ -104,7 +106,10 @@ def render(self):
         working_copy = self.working_copy()
         if working_copy is not None and (
                 sm.checkPermission(ModifyPortalContent, self.context) or
-                sm.checkPermission(CheckoutPermission, self.context) or
+                sm.checkPermission(
+                    permissions.CheckoutPermission, self.context) or
+                sm.checkPermission(
+                    permissions.CheckinPermission, working_copy) or
                 sm.checkPermission(ModifyPortalContent, working_copy)):
             return self.index()
         else:
@@ -127,7 +132,10 @@ def render(self):
         baseline = self.baseline()
         if baseline is not None and (
                 sm.checkPermission(ModifyPortalContent, self.context) or
-                sm.checkPermission(CheckoutPermission, baseline)):
+                sm.checkPermission(
+                    permissions.CheckoutPermission, baseline) or
+                sm.checkPermission(
+                    permissions.CheckinPermission, baseline)):
             return self.index()
         else:
             return ''

plone/app/iterate/configure.zcml

@@ -8,6 +8,16 @@
   <include package="zope.annotation" />
   <include package="Products.CMFCore" file="permissions.zcml" />
 
+  <permission
+    id="plone.app.iterate.CheckInContent"
+    title="iterate : Check in content"
+    />
+
+  <permission
+    id="plone.app.iterate.CheckOutContent"
+    title="iterate : Check out content"
+    />
+
   <include package=".subscribers"/>
   <include package=".browser"/>
 
@@ -85,16 +95,6 @@
      handler=".event.handleDeletion"
      />
 
-  <permission
-    id="plone.app.iterate.CheckInContent"
-    title="iterate : Check in content"
-    />
-
-  <permission
-    id="plone.app.iterate.CheckOutContent"
-    title="iterate : Check out content"
-    />
-
   <include package=".dexterity" zcml:condition="installed plone.app.relationfield" />
   <include file="at.zcml" zcml:condition="installed Products.Archetypes" />
 

plone/app/iterate/copier.py

@@ -28,9 +28,13 @@
 from Acquisition import aq_base
 from Acquisition import aq_inner
 from Acquisition import aq_parent
+from AccessControl import SpecialUsers
+
 from plone.app.iterate import interfaces
 from plone.app.iterate.base import BaseContentCopier
 from plone.app.iterate.interfaces import CheckinException
+from plone import api
+
 from Products.Archetypes.Referenceable import Referenceable
 from Products.CMFCore.utils import getToolByName
 from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
@@ -116,7 +120,10 @@ def _replaceBaseline(self, baseline):
         self.context._v_is_cp = 0
 
         wc_id = self.context.getId()
-        wc_container.manage_delObjects([wc_id])
+        # Bypass AT security check,
+        # checking `iterate : Check in content` should be sufficient
+        with api.env._adopt_user(SpecialUsers.system):
+            wc_container.manage_delObjects([wc_id])
 
         # move the working copy back to the baseline container
         working_copy = aq_base(self.context)

plone/app/iterate/permissions.py

@@ -26,6 +26,7 @@
 CheckinPermission = 'iterate : Check in content'
 CheckoutPermission = 'iterate : Check out content'
 
-DEFAULT_ROLES = ('Manager', 'Owner', 'Site Administrator', 'Editor')
-addPermission(CheckinPermission, default_roles=DEFAULT_ROLES)
-addPermission(CheckoutPermission, default_roles=DEFAULT_ROLES)
+addPermission(CheckinPermission, default_roles=(
+    'Manager', 'Site Administrator', 'Reviewer'))
+addPermission(CheckoutPermission, default_roles=(
+    'Manager', 'Owner', 'Site Administrator', 'Editor'))

plone/app/iterate/testing.py

@@ -34,10 +34,16 @@
     'password': 'secret',
     'roles': ['Contributor'],
 }
+REVIEWER = {
+    'id': 'reviewer',
+    'password': 'secret',
+    'roles': ['Reviewer'],
+}
 USERS_TO_BE_ADDED = (
     ADMIN,
     EDITOR,
     CONTRIBUTOR,
+    REVIEWER,
 )
 USERS_WITH_MEMBER_FOLDER = (
     EDITOR,

plone/app/iterate/tests/browser.rst

@@ -92,6 +92,7 @@ check out published pages::
     True
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic editor:secret')
 
     >>> browser.open(portal.absolute_url() + '/hello-world')
@@ -113,19 +114,12 @@ therefore our Editor lacks permissions to modify the original::
     ...
     LinkNotFoundError
 
-The Editor could, however, ask someone to retract the original so he
-gains permissions again and check in (and then possibly request for
-review)::
+The Reviewer can check the working copy back in to update the original
+published item::
 
     >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization',
-    ...                   'Basic %s:%s' % (SITE_OWNER_NAME, SITE_OWNER_PASSWORD))
-    >>> browser.open(portal.absolute_url() + '/hello-world')
-    >>> browser.getLink("Published").click()
-    >>> browser.getControl("Retract").click()
-    >>> browser.getControl("Save").click()
-    >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization', 'Basic editor:secret')
+    >>> browser.handleErrors = False
+    >>> browser.addHeader('Authorization', 'Basic reviewer:secret')
     >>> browser.open(portal.absolute_url() + '/hello-world')
     >>> browser.getLink("working copy").click()
     >>> browser.getLink("Check in").click()
@@ -261,8 +255,14 @@ Create a new page to test workflows with::
 
 Checkout::
 
+    >>> import transaction
+    >>> from plone import api
+    >>> api.user.grant_roles(username='editor', roles=['Contributor'])
+    >>> transaction.commit()
+
     >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization', 'Basic contributor:secret')
+    >>> browser.handleErrors = False
+    >>> browser.addHeader('Authorization', 'Basic editor:secret')
     >>> browser.open(workflow_test_url)
     >>> browser.getLink(id='plone-contentmenu-actions-iterate_checkout').click()
     >>> browser.contents
@@ -271,23 +271,27 @@ Checkout::
     >>> checkout_form.getControl('Parent folder').selected = True
     >>> checkout_form.getControl('Check out').click()
     >>> browser.contents
-    '...This is a working copy of...My workflow test..., made by...contributor...'
+    '...This is a working copy of...My workflow test..., made by...editor...'
     >>> browser.contents
     '...state-draft-copy...'
     >>> workflow_checkout_url = browser.url
 
+    >>> api.user.revoke_roles(username='editor', roles=['Contributor'])
+    >>> transaction.commit()
+
 Check get info message on original::
 
     >>> browser.open(workflow_test_url)
     >>> browser.contents
-    '...This item is being edited by...contributor...a working copy...'
+    '...This item is being edited by...editor...a working copy...'
 
 We're going to manually give the contributor user the CheckoutPermission
 to check it's used when displaying the info messages.  In our workflow
 once the checked out item is submitted the contributor no longer has
 permission to modify it but we still want them to see the info messages::
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization',
     ...                   'Basic %s:%s' % (SITE_OWNER_NAME, SITE_OWNER_PASSWORD))
 
@@ -297,6 +301,7 @@ permission to modify it but we still want them to see the info messages::
     >>> browser.getControl('Save Changes').click()
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic contributor:secret')
     >>> browser.open(workflow_checkout_url)
     >>> browser.getLink(id='workflow-transition-submit-copy-for-publication')\
@@ -314,6 +319,7 @@ move permissions in our workflow so this should not appear in the action menu.
 http://code.google.com/p/dexterity/issues/detail?id=258 ::
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic editor:secret')
     >>> browser.open(workflow_checkout_url)
     >>> browser.getLink(id='plone-contentmenu-actions-copy')