# HG changeset patch
# User Thierry Florac <tflorac@ulthar.net>
# Date 1511686561 -3600
# Node ID 5ab6ce5c00fbab9b3d11b107c06ccf3b406c0a53
# Parent  3f7f7a1624f00037abcf4846bfaee0627c0bc955
Remove restrictions when manager role is revoked

diff -r 3f7f7a1624f0 -r 5ab6ce5c00fb src/pyams_content/shared/common/security.py
--- a/src/pyams_content/shared/common/security.py	Sun Nov 26 09:55:24 2017 +0100
+++ b/src/pyams_content/shared/common/security.py	Sun Nov 26 09:56:01 2017 +0100
@@ -16,16 +16,17 @@
 # import standard library
 
 # import interfaces
-from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION
+from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION, MANAGER_ROLE
 from pyams_content.shared.common.interfaces import IWfSharedContent, IManagerRestrictions, MANAGER_RESTRICTIONS_KEY, \
     IManagerRestrictionsFactory, IBaseSharedTool, IManagerRestrictionInfo
 
 # import packages
 from persistent import Persistent
-from pyams_security.interfaces import IPrincipalInfo
+from pyams_security.interfaces import IPrincipalInfo, IRevokedRoleEvent
 from pyams_utils.adapter import adapter_config, ContextAdapter
 from pyams_utils.request import check_request
 from pyams_utils.traversing import get_parent
+from pyramid.events import subscriber
 from zope.annotation.interfaces import IAnnotations
 from zope.container.folder import Folder
 from zope.interface import implementer
@@ -82,6 +83,25 @@
             principal = principal.id
         restrictions_folder[principal] = restrictions
 
+    def drop_restrictions(self, principal):
+        annotations = IAnnotations(self.context)
+        restrictions_folder = annotations.get(MANAGER_RESTRICTIONS_KEY)
+        if restrictions_folder is None:
+            return
+        if IPrincipalInfo.providedBy(principal):
+            principal = principal.id
+        if principal in restrictions_folder:
+            del restrictions_folder[principal]
+
+
+@subscriber(IRevokedRoleEvent)
+def handle_revoked_manager_role(event):
+    """Handle revoked manager role"""
+    if event.role_id == MANAGER_ROLE:
+        restrictions = IManagerRestrictions(event.object.__parent__, None)
+        if restrictions:
+            restrictions.drop_restrictions(event.principal_id)
+
 
 @adapter_config(context=IWfSharedContent, provides=IManagerRestrictions)
 def SharedContentManagerRestrictions(context):