# HG changeset patch
# User Thierry Florac <tflorac@ulthar.net>
# Date 1511686500 -3600
# Node ID 834b484129fd9c562746e634ac37950a0f89159b
# Parent  1a27b43375d6c922f973e77573990960cbe8b458
Updated default shared content form permission checker

diff -r 1a27b43375d6 -r 834b484129fd src/pyams_content/shared/common/zmi/__init__.py
--- a/src/pyams_content/shared/common/zmi/__init__.py	Sun Nov 26 09:54:10 2017 +0100
+++ b/src/pyams_content/shared/common/zmi/__init__.py	Sun Nov 26 09:55:00 2017 +0100
@@ -52,6 +52,7 @@
 from pyams_viewlet.viewlet import viewlet_config, Viewlet
 from pyams_workflow.versions import WorkflowHistoryItem
 from pyams_zmi.form import AdminDialogAddForm
+from pyramid.location import lineage
 from pyramid.view import view_config
 from z3c.form import field, button
 from zope.copy import copy
@@ -100,7 +101,7 @@
     def add(self, wf_content):
         content = self.context.shared_content_factory()
         self.request.registry.notify(ObjectCreatedEvent(content))
-        uuid = self.__uuid = str(uuid4())
+        self.__uuid = uuid = str(uuid4())
         self.context[uuid] = content
         IWorkflowVersions(content).add_version(wf_content, None)
         IWorkflowInfo(wf_content).fire_transition('init', comment=wf_content.notepad)
@@ -161,14 +162,31 @@
             if state in workflow.manager_states:  # restricted manager access
                 if principal_id in self.context.managers:
                     return PUBLISH_CONTENT_PERMISSION
-                restrictions = IManagerRestrictions(self.context).get_restrictions(principal_id)
-                if restrictions and restrictions.check_access(self.context,
+                for parent in lineage(self.context):
+                    manager_restrictions = IManagerRestrictions(parent, None)
+                    if manager_restrictions is not None:
+                        user_restrictions = manager_restrictions.get_restrictions(principal_id)
+                        if user_restrictions:
+                            if user_restrictions.check_access(self.context,
                                                               permission=PUBLISH_CONTENT_PERMISSION,
                                                               request=request):
-                    return PUBLISH_CONTENT_PERMISSION
+                                return PUBLISH_CONTENT_PERMISSION
+                            else:
+                                return FORBIDDEN_PERMISSION
             else:
                 if principal_id in self.context.owner | self.context.contributors | self.context.managers:
                     return MANAGE_CONTENT_PERMISSION
+                for parent in lineage(self.context):
+                    manager_restrictions = IManagerRestrictions(parent, None)
+                    if manager_restrictions is not None:
+                        user_restrictions = manager_restrictions.get_restrictions(principal_id)
+                        if user_restrictions:
+                            if user_restrictions.check_access(self.context,
+                                                              permission=MANAGE_CONTENT_PERMISSION,
+                                                              request=request):
+                                return MANAGE_CONTENT_PERMISSION
+                            else:
+                                return FORBIDDEN_PERMISSION
                 restrictions = IManagerRestrictions(self.context).get_restrictions(principal_id)
                 if restrictions and restrictions.check_access(self.context,
                                                               permission=MANAGE_CONTENT_PERMISSION,