Use the Iterate permissions instead of CMF core permissions

news/67.bugfix

@@ -0,0 +1,3 @@
+Add support for customizing the policy of checking out and in using Zope's ACL
+security.  Use the Iterate permissions instead of CMF core permissions and
+allow controlling access based on who initiated the check out. [rpatterson]

plone/app/iterate/base.py

@@ -28,15 +28,20 @@
 
 from Acquisition import aq_inner
 from Acquisition import aq_parent
+from AccessControl import SecurityManagement
+
 from plone.app.iterate import interfaces
 from plone.app.iterate.event import BeforeCheckoutEvent
 from plone.app.iterate.event import CancelCheckoutEvent
 from plone.app.iterate.event import CheckoutEvent
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
 from plone.app.iterate.interfaces import IObjectCopier
 from plone.app.iterate.util import get_storage
+from plone.app.iterate import util
+
 from Products.CMFCore import interfaces as cmf_ifaces
 from Products.CMFCore.utils import getToolByName
+
 from zope import component
 from zope.component import queryAdapter
 from zope.event import notify
@@ -151,10 +156,19 @@ def _removeDuplicateReferences(self, item, backrefs=False):
     def _copyBaseline(self, container):
         # copy the context from source to the target container
         source_container = aq_parent(aq_inner(self.context))
-        clipboard = source_container.manage_copyObjects([self.context.getId()])
-        result = container.manage_pasteObjects(clipboard)
+
+        with util.adopt_system():
+            clipboard = source_container.manage_copyObjects(
+                [self.context.getId()])
+            result = container.manage_pasteObjects(clipboard)
 
         # get a reference to the working copy
         target_id = result[0]['new_id']
         target = container._getOb(target_id)
-        return target
+
+        security_manager = SecurityManagement.getSecurityManager()
+        target.manage_addLocalRoles(
+            security_manager.getUser().getId(),
+            ('iterate: Check out initiator', ))
+
+        return target

plone/app/iterate/browser/configure.zcml

@@ -27,7 +27,7 @@
         name="content-checkin"
         class=".checkin.Checkin"
         template="checkin.pt"
-        permission="cmf.ModifyPortalContent"
+        permission="plone.app.iterate.CheckInContent"
         />
 
     <browser:page

plone/app/iterate/browser/control.py

@@ -29,7 +29,7 @@
 from plone.memoize.view import memoize
 from Products.Five.browser import BrowserView
 
-import Products.CMFCore.permissions
+from .. import permissions
 
 
 class Control(BrowserView):
@@ -62,11 +62,8 @@ def checkin_allowed(self):
         if original is None:
             return False
 
-        can_modify = checkPermission(
-            Products.CMFCore.permissions.ModifyPortalContent,
-            original,
-        )
-        if not can_modify:
+        can_check_in = checkPermission(permissions.CheckinPermission, context)
+        if not can_check_in:
             return False
 
         return True
@@ -75,6 +72,7 @@ def checkout_allowed(self):
         """Check if a checkout is allowed.
         """
         context = aq_inner(self.context)
+        checkPermission = getSecurityManager().checkPermission
 
         if not interfaces.IIterateAware.providedBy(context):
             return False
@@ -94,6 +92,11 @@ def checkout_allowed(self):
         if policy.getBaseline() is not None:
             return False
 
+        can_check_out = checkPermission(
+            permissions.CheckoutPermission, context)
+        if not can_check_out:
+            return False
+
         return True
 
     @memoize

plone/app/iterate/browser/info.py

@@ -5,10 +5,12 @@
 
 from AccessControl import getSecurityManager
 from DateTime import DateTime
+
 from plone.app.iterate.interfaces import IBaseline
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
 from plone.app.iterate.interfaces import keys
-from plone.app.iterate.permissions import CheckoutPermission
+from plone.app.iterate import permissions
+
 from plone.memoize.instance import memoize
 from Products.CMFCore.permissions import ModifyPortalContent
 from Products.CMFCore.utils import getToolByName
@@ -92,7 +94,7 @@ def properties(self):
             return {}
 
     def _getReference(self):
-        raise NotImplemented
+        raise NotImplementedError()
 
 
 class BaselineInfoViewlet(BaseInfoViewlet):
@@ -104,7 +106,10 @@ def render(self):
         working_copy = self.working_copy()
         if working_copy is not None and (
                 sm.checkPermission(ModifyPortalContent, self.context) or
-                sm.checkPermission(CheckoutPermission, self.context) or
+                sm.checkPermission(
+                    permissions.CheckoutPermission, self.context) or
+                sm.checkPermission(
+                    permissions.CheckinPermission, working_copy) or
                 sm.checkPermission(ModifyPortalContent, working_copy)):
             return self.index()
         else:
@@ -127,7 +132,10 @@ def render(self):
         baseline = self.baseline()
         if baseline is not None and (
                 sm.checkPermission(ModifyPortalContent, self.context) or
-                sm.checkPermission(CheckoutPermission, baseline)):
+                sm.checkPermission(
+                    permissions.CheckoutPermission, baseline) or
+                sm.checkPermission(
+                    permissions.CheckinPermission, baseline)):
             return self.index()
         else:
             return ''

plone/app/iterate/configure.zcml

@@ -8,6 +8,16 @@
   <include package="zope.annotation" />
   <include package="Products.CMFCore" file="permissions.zcml" />
 
+  <permission
+    id="plone.app.iterate.CheckInContent"
+    title="iterate : Check in content"
+    />
+
+  <permission
+    id="plone.app.iterate.CheckOutContent"
+    title="iterate : Check out content"
+    />
+
   <include package=".subscribers"/>
   <include package=".browser"/>
 
@@ -85,16 +95,6 @@
      handler=".event.handleDeletion"
      />
 
-  <permission
-    id="plone.app.iterate.CheckInContent"
-    title="iterate : Check in content"
-    />
-
-  <permission
-    id="plone.app.iterate.CheckOutContent"
-    title="iterate : Check out content"
-    />
-
   <include package=".dexterity" zcml:condition="installed plone.app.relationfield" />
   <include file="at.zcml" zcml:condition="installed Products.Archetypes" />
 

plone/app/iterate/copier.py

@@ -28,20 +28,24 @@
 from Acquisition import aq_base
 from Acquisition import aq_inner
 from Acquisition import aq_parent
+
 from plone.app.iterate import interfaces
 from plone.app.iterate.base import BaseContentCopier
 from plone.app.iterate.interfaces import CheckinException
+
 from Products.Archetypes.Referenceable import Referenceable
 from Products.CMFCore.utils import getToolByName
 from Products.DCWorkflow.DCWorkflow import DCWorkflowDefinition
-from .relation import WorkingCopyRelation
 from ZODB.PersistentMapping import PersistentMapping
 from zope import component
 from zope import interface
 from zope.annotation.interfaces import IAnnotations
 from zope.event import notify
 from zope.lifecycleevent import ObjectMovedEvent
 
+from . import util
+from .relation import WorkingCopyRelation
+
 
 @interface.implementer(interfaces.IObjectCopier)
 @component.adapter(interfaces.IIterateAware)
@@ -116,7 +120,10 @@ def _replaceBaseline(self, baseline):
         self.context._v_is_cp = 0
 
         wc_id = self.context.getId()
-        wc_container.manage_delObjects([wc_id])
+        # Bypass AT security check,
+        # checking `iterate : Check in content` should be sufficient
+        with util.adopt_system():
+            wc_container.manage_delObjects([wc_id])
 
         # move the working copy back to the baseline container
         working_copy = aq_base(self.context)

plone/app/iterate/permissions.py

@@ -26,6 +26,7 @@
 CheckinPermission = 'iterate : Check in content'
 CheckoutPermission = 'iterate : Check out content'
 
-DEFAULT_ROLES = ('Manager', 'Owner', 'Site Administrator', 'Editor')
-addPermission(CheckinPermission, default_roles=DEFAULT_ROLES)
-addPermission(CheckoutPermission, default_roles=DEFAULT_ROLES)
+addPermission(CheckinPermission, default_roles=(
+    'Manager', 'Site Administrator', 'Reviewer'))
+addPermission(CheckoutPermission, default_roles=(
+    'Manager', 'Owner', 'Site Administrator', 'Editor'))

plone/app/iterate/testing.py

@@ -34,10 +34,16 @@
     'password': 'secret',
     'roles': ['Contributor'],
 }
+REVIEWER = {
+    'id': 'reviewer',
+    'password': 'secret',
+    'roles': ['Reviewer'],
+}
 USERS_TO_BE_ADDED = (
     ADMIN,
     EDITOR,
     CONTRIBUTOR,
+    REVIEWER,
 )
 USERS_WITH_MEMBER_FOLDER = (
     EDITOR,

plone/app/iterate/tests/browser.rst

@@ -92,6 +92,7 @@ check out published pages::
     True
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic editor:secret')
 
     >>> browser.open(portal.absolute_url() + '/hello-world')
@@ -113,19 +114,12 @@ therefore our Editor lacks permissions to modify the original::
     ...
     LinkNotFoundError
 
-The Editor could, however, ask someone to retract the original so he
-gains permissions again and check in (and then possibly request for
-review)::
+The Reviewer can check the working copy back in to update the original
+published item::
 
     >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization',
-    ...                   'Basic %s:%s' % (SITE_OWNER_NAME, SITE_OWNER_PASSWORD))
-    >>> browser.open(portal.absolute_url() + '/hello-world')
-    >>> browser.getLink("Published").click()
-    >>> browser.getControl("Retract").click()
-    >>> browser.getControl("Save").click()
-    >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization', 'Basic editor:secret')
+    >>> browser.handleErrors = False
+    >>> browser.addHeader('Authorization', 'Basic reviewer:secret')
     >>> browser.open(portal.absolute_url() + '/hello-world')
     >>> browser.getLink("working copy").click()
     >>> browser.getLink("Check in").click()
@@ -261,8 +255,14 @@ Create a new page to test workflows with::
 
 Checkout::
 
+    >>> import transaction
+    >>> from plone import api
+    >>> api.user.grant_roles(username='editor', roles=['Contributor'])
+    >>> transaction.commit()
+
     >>> browser = z2.Browser(app)
-    >>> browser.addHeader('Authorization', 'Basic contributor:secret')
+    >>> browser.handleErrors = False
+    >>> browser.addHeader('Authorization', 'Basic editor:secret')
     >>> browser.open(workflow_test_url)
     >>> browser.getLink(id='plone-contentmenu-actions-iterate_checkout').click()
     >>> browser.contents
@@ -271,23 +271,27 @@ Checkout::
     >>> checkout_form.getControl('Parent folder').selected = True
     >>> checkout_form.getControl('Check out').click()
     >>> browser.contents
-    '...This is a working copy of...My workflow test..., made by...contributor...'
+    '...This is a working copy of...My workflow test..., made by...editor...'
     >>> browser.contents
     '...state-draft-copy...'
     >>> workflow_checkout_url = browser.url
 
+    >>> api.user.revoke_roles(username='editor', roles=['Contributor'])
+    >>> transaction.commit()
+
 Check get info message on original::
 
     >>> browser.open(workflow_test_url)
     >>> browser.contents
-    '...This item is being edited by...contributor...a working copy...'
+    '...This item is being edited by...editor...a working copy...'
 
 We're going to manually give the contributor user the CheckoutPermission
 to check it's used when displaying the info messages.  In our workflow
 once the checked out item is submitted the contributor no longer has
 permission to modify it but we still want them to see the info messages::
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization',
     ...                   'Basic %s:%s' % (SITE_OWNER_NAME, SITE_OWNER_PASSWORD))
 
@@ -297,6 +301,7 @@ permission to modify it but we still want them to see the info messages::
     >>> browser.getControl('Save Changes').click()
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic contributor:secret')
     >>> browser.open(workflow_checkout_url)
     >>> browser.getLink(id='workflow-transition-submit-copy-for-publication')\
@@ -314,6 +319,7 @@ move permissions in our workflow so this should not appear in the action menu.
 http://code.google.com/p/dexterity/issues/detail?id=258 ::
 
     >>> browser = z2.Browser(app)
+    >>> browser.handleErrors = False
     >>> browser.addHeader('Authorization', 'Basic editor:secret')
     >>> browser.open(workflow_checkout_url)
     >>> browser.getLink(id='plone-contentmenu-actions-copy')

plone/app/iterate/tests/test_iterate.py

@@ -22,9 +22,12 @@
 ##################################################################
 
 from AccessControl import getSecurityManager
+
 from plone.app.iterate.browser.control import Control
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
+from plone.app.iterate import testing
 from plone.app.iterate.testing import PLONEAPPITERATEDEX_INTEGRATION_TESTING
+
 from plone.app.testing import login
 from plone.app.testing import setRoles
 from plone.app.testing import TEST_USER_ID
@@ -207,3 +210,32 @@ def test_control_cancel_on_original_does_not_delete_original(self):
         from plone.app.iterate.interfaces import CheckoutException
         with self.assertRaises(CheckoutException):
             cancel()
+
+    def test_local_role(self):
+        """
+        A local role is assigned for the user making the checkout.
+        """
+        self.portal.portal_membership.addMember(
+            testing.EDITOR['id'], testing.EDITOR['password'],
+            testing.EDITOR['roles'], [])
+        login(self.portal, testing.EDITOR['id'])
+
+        baseline = self.portal.docs.doc1
+        policy = ICheckinCheckoutPolicy(baseline, None)
+        working_copy = policy.checkout(self.portal.workarea)
+
+        # Verify assumptions
+        self.assertEqual(
+            baseline.get_local_roles_for_userid(TEST_USER_ID), ('Owner', ),
+            'Different Owner local role than this test assumes')
+        self.assertEqual(
+            working_copy.get_local_roles_for_userid(TEST_USER_ID), ('Owner', ),
+            'Different Owner local role than this test assumes')
+        self.assertEqual(
+            baseline.get_local_roles_for_userid('editor'), (),
+            'Different check out user local role than this test assumes')
+
+        self.assertEqual(
+            working_copy.get_local_roles_for_userid('editor'),
+            ('iterate: Check out initiator', ),
+            'Wrong check out initiator local role')