Merge pull request #120 from plone/use_package_permissions

Use package permissions to protect views instead of more general ones
plone · Feb 21, 2024 · 44d8322 · 44d8322
2 parents f37417f + 48cfdbb
commit 44d8322
Show file tree

Hide file tree

Showing 8 changed files with 65 additions and 66 deletions.
diff --git a/news/120.news b/news/120.news
@@ -0,0 +1,2 @@
+Use the package-permissions to protect views and toolbar-actions.
+[pbauer]
diff --git a/plone/app/iterate/__init__.py b/plone/app/iterate/__init__.py
@@ -1,25 +1,3 @@
-##################################################################
-#
-# (C) Copyright 2006 ObjectRealms, LLC
-# All Rights Reserved
-#
-# This file is part of iterate.
-#
-# iterate is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# iterate is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with iterate; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-##################################################################
-from plone.app.iterate import permissions  # noqa: F401
 from zope.i18nmessageid import MessageFactory
 
 import logging

diff --git a/plone/app/iterate/browser/configure.zcml b/plone/app/iterate/browser/configure.zcml
@@ -20,15 +20,15 @@
       for="..interfaces.IIterateAware"
       class=".checkout.Checkout"
       template="checkout.pt"
-      permission="zope2.View"
+      permission="plone.app.iterate.CheckOutContent"
       />
 
   <browser:page
       name="content-checkin"
       for="..interfaces.IIterateAware"
       class=".checkin.Checkin"
       template="checkin.pt"
-      permission="cmf.ModifyPortalContent"
+      permission="plone.app.iterate.CheckInContent"
       />
 
   <browser:page
@@ -46,7 +46,7 @@
       for="..interfaces.IIterateManagedContent"
       class=".diff.DiffView"
       template="diff.pt"
-      permission="zope2.View"
+      permission="cmf.ModifyPortalContent"
       />
 
   <browser:viewlet

diff --git a/plone/app/iterate/browser/control.py b/plone/app/iterate/browser/control.py
@@ -25,6 +25,8 @@
 from plone.app.iterate import interfaces
 from plone.app.iterate.interfaces import ICheckinCheckoutPolicy
 from plone.app.iterate.interfaces import IWorkingCopy
+from plone.app.iterate.permissions import CheckinPermission
+from plone.app.iterate.permissions import CheckoutPermission
 from plone.memoize.view import memoize
 from Products.Five.browser import BrowserView
 
@@ -67,6 +69,13 @@ def checkin_allowed(self):
         if not can_modify:
             return False
 
+        can_checkin = checkPermission(
+            CheckinPermission,
+            original,
+        )
+        if not can_checkin:
+            return False
+
         return True
 
     def checkout_allowed(self):
@@ -91,6 +100,14 @@ def checkout_allowed(self):
         if policy.getBaseline() is not None:
             return False
 
+        checkPermission = getSecurityManager().checkPermission
+        can_checkout = checkPermission(
+            CheckoutPermission,
+            context,
+        )
+        if not can_checkout:
+            return False
+
         return True
 
     @memoize

diff --git a/plone/app/iterate/configure.zcml b/plone/app/iterate/configure.zcml
@@ -23,6 +23,16 @@
       file="meta.zcml"
       />
 
+  <permission
+      id="plone.app.iterate.CheckInContent"
+      title="iterate : Check in content"
+      />
+
+  <permission
+      id="plone.app.iterate.CheckOutContent"
+      title="iterate : Check out content"
+      />
+
   <include package="plone.locking" />
   <include package="plone.memoize" />
   <include package="Products.CMFCore" />
@@ -102,6 +112,17 @@
       import_profile="plone.app.iterate:to1000"
       />
 
+  <genericsetup:upgradeSteps
+      profile="plone.app.iterate:default"
+      source="1000"
+      destination="1001"
+      >
+    <genericsetup:upgradeDepends
+        title="Load rolemap"
+        import_steps="rolemap"
+        />
+  </genericsetup:upgradeSteps>
+
   <utility
       factory=".setuphandlers.HiddenProfiles"
       name="plone.app.iterate"
@@ -127,15 +148,4 @@
       handler=".event.handleDeletion"
       />
 
-  <permission
-      id="plone.app.iterate.CheckInContent"
-      title="iterate : Check in content"
-      />
-
-  <permission
-      id="plone.app.iterate.CheckOutContent"
-      title="iterate : Check out content"
-      />
-
-
 </configure>
diff --git a/plone/app/iterate/permissions.py b/plone/app/iterate/permissions.py
@@ -1,31 +1,2 @@
-##################################################################
-#
-# (C) Copyright 2006 ObjectRealms, LLC
-# All Rights Reserved
-#
-# This file is part of iterate.
-#
-# iterate is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# iterate is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with CMFDeployment; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-##################################################################
-
-from AccessControl.Permission import addPermission
-
-
 CheckinPermission = "iterate : Check in content"
 CheckoutPermission = "iterate : Check out content"
-
-DEFAULT_ROLES = ("Manager", "Owner", "Site Administrator", "Editor")
-addPermission(CheckinPermission, default_roles=DEFAULT_ROLES)
-addPermission(CheckoutPermission, default_roles=DEFAULT_ROLES)
diff --git a/plone/app/iterate/profiles/default/metadata.xml b/plone/app/iterate/profiles/default/metadata.xml
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <metadata>
-  <version>1000</version>
+  <version>1001</version>
 </metadata>
diff --git a/plone/app/iterate/profiles/default/rolemap.xml b/plone/app/iterate/profiles/default/rolemap.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rolemap>
+  <permissions>
+    <permission acquire="True"
+                name="iterate : Check out content"
+    >
+      <role name="Manager" />
+      <role name="Site Administrator" />
+      <role name="Editor" />
+      <role name="Owner" />
+    </permission>
+    <permission acquire="True"
+                name="iterate : Check in content"
+    >
+      <role name="Manager" />
+      <role name="Site Administrator" />
+      <role name="Editor" />
+      <role name="Owner" />
+    </permission>
+  </permissions>
+</rolemap>