Don't render tile for anon if unpublished nitf.

This fixes

    #185

Showing a default Plone message of "Insufficient Privileges" when an
Anonymous user renders a tile that have an unpublished nitf associated
to the tile.

CHANGES.rst

@@ -6,6 +6,10 @@ There's a frood who really knows where his towel is.
 2.1b2 (unreleased)
 ^^^^^^^^^^^^^^^^^^
 
+- Don't render tile for anonymous users if related nitf content is unpublished.
+  (closes `#185`_).
+  [idgserpro]
+
 - Fix upgrade process between versions 1.0 and 2.0;
   check documentation on migration from 1.x to 2.x (closes `#198`_).
   [rodfersou, hvelarde]
@@ -196,4 +200,5 @@ There's a frood who really knows where his towel is.
 .. _`#169`: https://github.com/collective/collective.nitf/issues/169
 .. _`#175`: https://github.com/collective/collective.nitf/issues/175
 .. _`#178`: https://github.com/collective/collective.nitf/issues/178
+.. _`#185`: https://github.com/collective/collective.nitf/issues/185
 .. _`#198`: https://github.com/collective/collective.nitf/issues/198

src/collective/nitf/config.py

@@ -201,3 +201,6 @@
     '++resource++collective.js.cycle2/jquery.cycle2.carousel.min.js',
     '++resource++collective.js.cycle2/jquery.cycle2.swipe.min.js',
 )
+
+# Used in nitf tile.
+NO_PRIVILEGES_TOKEN = 'heading_no_privileges'

src/collective/nitf/tests/test_nitf_tile.py

@@ -1,10 +1,12 @@
 # -*- coding: utf-8 -*-
 """Tests in this module are executed only if collective.cover is installed."""
+from collective.nitf.config import NO_PRIVILEGES_TOKEN
 from collective.nitf.testing import HAS_COVER
 from collective.nitf.testing import INTEGRATION_TESTING
 from lxml import etree
 from mock import Mock
 from plone import api
+from plone.app.testing import logout
 
 import unittest
 
@@ -98,3 +100,54 @@ def test_render_deleted_object(self):
         # some metadata is still present
         self.assertIn('Lorem ipsum', html.xpath('//h2/a/text()'))
         self.assertFalse(html.xpath('//time'))  # date is ignored
+
+    def test_dont_render_for_anonymous(self):
+        # https://github.com/collective/collective.nitf/issues/185
+
+        original_get_configured_fields = self.tile.get_configured_fields
+
+        def get_configured_fields():
+            """
+
+            XXX: In bin/test infrastructure, for some reason, an anonymous user
+            trying to view the nitf.pt gives a permission error for view/@@images:
+            this doesn't happen in bin/instance.
+
+            collective.nitf/src/collective/nitf/tiles/nitf.pt
+               - Line 34, Column 10
+               - Expression: <PathExpr standard:u'view/@@images'>
+               - Names:
+                  {'args': (),
+                   'context': <Cover at /plone/c1>,
+                   'default': <object object at 0x7f45386d2ad0>,
+                   'loop': {},
+                   'nothing': None,
+                   'options': {},
+                   'repeat': {},
+                   'request': <HTTPRequest, URL=http://nohost>,
+                   'template': <zope.browserpage.viewpagetemplatefile.ViewPageTemplateFile object at 0x7f4527319390>,
+                   'view': <collective.nitf.tiles.nitf.NITFTile object at 0x7f4521cec150>,
+                   'views': <zope.browserpage.viewpagetemplatefile.ViewMapper object at 0x7f4521960590>}
+            AccessControl-3.0.11-py2.7-linux-x86_64.egg/AccessControl/ImplPython.py", line 420, in validate
+               raise Unauthorized(name, value)
+            Unauthorized: You are not allowed to access 'lorem-ipsum' in this context
+
+            So, we remove 'image' field info so nitf.pt doesn't call view/@@images.
+            Since it's not needed for the context of this test, no harm is done.
+
+            """
+            fields = original_get_configured_fields()
+            return [f for f in fields if f['id'] != 'image']
+
+        self.tile.get_configured_fields = get_configured_fields
+
+        with api.env.adopt_roles(['Manager']):
+            n1 = api.content.create(
+                self.portal, 'collective.nitf.content', title='Lorem ipsum')
+            self.tile.populate_with_object(n1)
+
+        logout()
+        html = self.tile()
+        self.assertNotIn('Lorem ipsum', html)
+        self.assertIn(NO_PRIVILEGES_TOKEN, html)
+        self.tile.get_configured_fields = original_get_configured_fields

src/collective/nitf/tiles/nitf.py

@@ -3,10 +3,13 @@
 from collective.cover.tiles.basic import IBasicTile
 from collective.cover.tiles.configuration_view import IDefaultConfigureForm
 from collective.nitf import _
+from collective.nitf.config import NO_PRIVILEGES_TOKEN
 from collective.nitf.interfaces import INITF
+from plone import api
 from plone.autoform import directives as form
 from plone.tiles.interfaces import ITileDataManager
 from plone.uuid.interfaces import IUUID
+from Products.CMFPlone import PloneMessageFactory as _plone
 from zope import schema
 from zope.browserpage import ViewPageTemplateFile
 from zope.interface import implementer
@@ -47,6 +50,24 @@ class NITFTile(BasicTile):
 
     short_name = _(u'msg_short_name_nitf', u'News Article')
 
+    def __call__(self, *args, **kwargs):
+        """
+        This method was inspired by
+
+            https://github.com/plone/plone.tiles/blob/5f13cc63efc3c0ee429ff103685b19161333afd7/plone/tiles/esi.py#L59
+
+        Based on ConditionalESIRendering, if there's no index, 'render' is
+        called instead. We used the same idea but for a different purpose: if
+        the object related to the tile isn't available (happens when an
+        anonymous user tries to view an unpublished item in a tile), we show
+        a message saying that there's a privilege problem. If the tile is
+        available, __call__ is normally called.
+        """
+        if api.user.is_anonymous() and self.brain is None and not self.is_compose_mode():
+            return self.context.translate(_plone(NO_PRIVILEGES_TOKEN))
+        else:
+            return super(NITFTile, self).__call__(*args, **kwargs)
+
     def accepted_ct(self):
         """Return a list of content types accepted by the tile."""
         return ['collective.nitf.content']