# HG changeset patch # User Thierry Florac # Date 1511686561 -3600 # Node ID 5ab6ce5c00fbab9b3d11b107c06ccf3b406c0a53 # Parent 3f7f7a1624f00037abcf4846bfaee0627c0bc955 Remove restrictions when manager role is revoked diff -r 3f7f7a1624f0 -r 5ab6ce5c00fb src/pyams_content/shared/common/security.py --- a/src/pyams_content/shared/common/security.py Sun Nov 26 09:55:24 2017 +0100 +++ b/src/pyams_content/shared/common/security.py Sun Nov 26 09:56:01 2017 +0100 @@ -16,16 +16,17 @@ # import standard library # import interfaces -from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION +from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION, MANAGER_ROLE from pyams_content.shared.common.interfaces import IWfSharedContent, IManagerRestrictions, MANAGER_RESTRICTIONS_KEY, \ IManagerRestrictionsFactory, IBaseSharedTool, IManagerRestrictionInfo # import packages from persistent import Persistent -from pyams_security.interfaces import IPrincipalInfo +from pyams_security.interfaces import IPrincipalInfo, IRevokedRoleEvent from pyams_utils.adapter import adapter_config, ContextAdapter from pyams_utils.request import check_request from pyams_utils.traversing import get_parent +from pyramid.events import subscriber from zope.annotation.interfaces import IAnnotations from zope.container.folder import Folder from zope.interface import implementer @@ -82,6 +83,25 @@ principal = principal.id restrictions_folder[principal] = restrictions + def drop_restrictions(self, principal): + annotations = IAnnotations(self.context) + restrictions_folder = annotations.get(MANAGER_RESTRICTIONS_KEY) + if restrictions_folder is None: + return + if IPrincipalInfo.providedBy(principal): + principal = principal.id + if principal in restrictions_folder: + del restrictions_folder[principal] + + +@subscriber(IRevokedRoleEvent) +def handle_revoked_manager_role(event): + """Handle revoked manager role""" + if event.role_id == MANAGER_ROLE: + restrictions = IManagerRestrictions(event.object.__parent__, None) + if restrictions: + restrictions.drop_restrictions(event.principal_id) + @adapter_config(context=IWfSharedContent, provides=IManagerRestrictions) def SharedContentManagerRestrictions(context):