--- a/src/pyams_content/shared/common/security.py Sun Nov 26 09:55:24 2017 +0100
+++ b/src/pyams_content/shared/common/security.py Sun Nov 26 09:56:01 2017 +0100
@@ -16,16 +16,17 @@
# import standard library
# import interfaces
-from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION
+from pyams_content.interfaces import MANAGE_CONTENT_PERMISSION, MANAGER_ROLE
from pyams_content.shared.common.interfaces import IWfSharedContent, IManagerRestrictions, MANAGER_RESTRICTIONS_KEY, \
IManagerRestrictionsFactory, IBaseSharedTool, IManagerRestrictionInfo
# import packages
from persistent import Persistent
-from pyams_security.interfaces import IPrincipalInfo
+from pyams_security.interfaces import IPrincipalInfo, IRevokedRoleEvent
from pyams_utils.adapter import adapter_config, ContextAdapter
from pyams_utils.request import check_request
from pyams_utils.traversing import get_parent
+from pyramid.events import subscriber
from zope.annotation.interfaces import IAnnotations
from zope.container.folder import Folder
from zope.interface import implementer
@@ -82,6 +83,25 @@
principal = principal.id
restrictions_folder[principal] = restrictions
+ def drop_restrictions(self, principal):
+ annotations = IAnnotations(self.context)
+ restrictions_folder = annotations.get(MANAGER_RESTRICTIONS_KEY)
+ if restrictions_folder is None:
+ return
+ if IPrincipalInfo.providedBy(principal):
+ principal = principal.id
+ if principal in restrictions_folder:
+ del restrictions_folder[principal]
+
+
+@subscriber(IRevokedRoleEvent)
+def handle_revoked_manager_role(event):
+ """Handle revoked manager role"""
+ if event.role_id == MANAGER_ROLE:
+ restrictions = IManagerRestrictions(event.object.__parent__, None)
+ if restrictions:
+ restrictions.drop_restrictions(event.principal_id)
+
@adapter_config(context=IWfSharedContent, provides=IManagerRestrictions)
def SharedContentManagerRestrictions(context):