Allow all intranet users to view content in an open workspace

src/ploneintranet/workspace/configure.zcml

@@ -36,6 +36,12 @@
      handler=".subscribers.workspace_added"
      />
 
+  <subscriber
+     for="ploneintranet.workspace.workspacefolder.IWorkspaceFolder
+          Products.DCWorkflow.interfaces.IAfterTransitionEvent"
+     handler=".subscribers.workspace_state_changed"
+     />
+
   <!-- Subscribe to ParticipationPolicyChangedEvent in order to
        update existing users-->
   <subscriber

src/ploneintranet/workspace/profiles/default/workflows/ploneintranet_workflow/definition.xml

@@ -101,6 +101,7 @@
       <permission-role>TeamManager</permission-role>
       <permission-role>TeamMember</permission-role>
       <permission-role>Reader</permission-role>
+      <permission-role>Guest</permission-role>
     </permission-map>
     <permission-map name="List folder contents"
                     acquired="False">
@@ -127,6 +128,7 @@
       <permission-role>TeamManager</permission-role>
       <permission-role>TeamMember</permission-role>
       <permission-role>Reader</permission-role>
+      <permission-role>Guest</permission-role>
     </permission-map>
   </state>
 

src/ploneintranet/workspace/subscribers.py

@@ -3,8 +3,34 @@
 from Products.CMFPlacefulWorkflow.PlacefulWorkflowTool \
     import WorkflowPolicyConfig_id
 from zope.globalrequest import getRequest
-
 from ploneintranet.workspace.utils import get_storage
+from ploneintranet.workspace.config import INTRANET_USERS_GROUP_ID
+
+
+def workspace_state_changed(ob, event):
+    """
+    when a workspace is made 'open', we need to
+    give all intranet users the 'Guest' role
+
+    equally, when the workspace is not open, we need
+    to remove the role again
+    """
+    workspace = event.object
+    roles = ['Guest', ]
+    if event.new_state.id == 'open':
+        api.group.grant_roles(
+            groupname=INTRANET_USERS_GROUP_ID,
+            obj=workspace,
+            roles=roles,
+        )
+        workspace.reindexObjectSecurity()
+    elif event.old_state.id == 'open':
+        api.group.revoke_roles(
+            groupname=INTRANET_USERS_GROUP_ID,
+            obj=workspace,
+            roles=roles,
+        )
+        workspace.reindexObjectSecurity()
 
 
 def workspace_added(ob, event):

src/ploneintranet/workspace/tests/test_subscribers.py

@@ -0,0 +1,36 @@
+from ploneintranet.workspace.tests.base import BaseTestCase
+from ploneintranet.workspace.config import INTRANET_USERS_GROUP_ID
+from plone import api
+
+
+class TestSubscribers(BaseTestCase):
+
+    def test_workspace_state_changed(self):
+        self.login_as_portal_owner()
+        workspace_folder = api.content.create(
+            self.portal,
+            'ploneintranet.workspace.workspacefolder',
+            'example-workspace')
+        roles = api.group.get_roles(
+            groupname=INTRANET_USERS_GROUP_ID,
+            obj=workspace_folder,
+        )
+        self.assertNotIn('Guest', roles)
+
+        # Transition to open should add the role
+        api.content.transition(obj=workspace_folder,
+                               to_state='open')
+        roles = api.group.get_roles(
+            groupname=INTRANET_USERS_GROUP_ID,
+            obj=workspace_folder,
+        )
+        self.assertIn('Guest', roles)
+
+        # Transition to another state should remove it
+        api.content.transition(obj=workspace_folder,
+                               to_state='private')
+        roles = api.group.get_roles(
+            groupname=INTRANET_USERS_GROUP_ID,
+            obj=workspace_folder,
+        )
+        self.assertNotIn('Guest', roles)