diff --git a/src/pfwbged/folder/folder.py b/src/pfwbged/folder/folder.py index 8cfd235..a610c69 100644 --- a/src/pfwbged/folder/folder.py +++ b/src/pfwbged/folder/folder.py @@ -1,7 +1,7 @@ +from AccessControl import getSecurityManager from zope.interface import implements from five import grok -from zope import schema, component -from plone.directives import form +from zope import component from zc.relation.interfaces import ICatalog from zope.app.intid.interfaces import IIntIds @@ -19,7 +19,7 @@ from plone.dexterity.interfaces import IDexterityContainer from pfwbged.collection.searchview import ResultsTable -from . import _ +from .link import ILink class IFolder(model.Schema): """ """ @@ -52,6 +52,7 @@ class FolderViewlet(grok.Viewlet): if self.context.id == 'documents' and aq_parent(self.context).portal_type == 'Plone Site': # never return anything in the main documents folder return [] + intids = component.getUtility(IIntIds) intid_catalog = component.getUtility(ICatalog) portal_catalog = api.portal.get_tool('portal_catalog') @@ -59,13 +60,24 @@ class FolderViewlet(grok.Viewlet): intid = intids.getId(self.context) except KeyError: return [] + documents = [] - for item in intid_catalog.findRelations({'to_id': intid}): + sm = getSecurityManager() + for item in intid_catalog.findRelations({ + 'to_id': intid, + 'from_interfaces_flattened': ILink}): if item.isBroken(): continue - document = aq_parent(item.from_object) + + link = item.from_object + if not sm.checkPermission('View', link): + continue + + document = aq_parent(link) +# documents.append(document) # this is stupid, getting back to the brain, but the rest of the # stuff expects a brain, not an actual object. uuid = IUUID(document, None) - documents.extend(portal_catalog({'UID': uuid})) + documents.extend(portal_catalog.unrestrictedSearchResults({'UID': uuid})) + return documents