From 789d8f1e0bf0a5f266154d0a2d802185c9717b96 Mon Sep 17 00:00:00 2001
From: Nicolas Demonte <nicolas@affinitic.be>
Date: Mon, 22 Jul 2019 15:30:58 +0200
Subject: [PATCH] Fix Incoming mail (and related content types) deletion
 permissions for admins

---
 .../policy/profiles/default/metadata.xml      |  2 +-
 .../incomingmail_workflow/definition.xml      |  5 ++++
 src/pfwbged/policy/upgrades/configure.zcml    | 17 +++++++++++++
 src/pfwbged/policy/upgrades/workflow.py       | 24 +++++++++++++++++++
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/src/pfwbged/policy/profiles/default/metadata.xml b/src/pfwbged/policy/profiles/default/metadata.xml
index 045ee67..535b534 100644
--- a/src/pfwbged/policy/profiles/default/metadata.xml
+++ b/src/pfwbged/policy/profiles/default/metadata.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <metadata>
-  <version>4</version>
+  <version>5</version>
   <dependencies>
     <dependency>profile-collective.dms.basecontent:default</dependency>
     <dependency>profile-collective.dms.batchimport:default</dependency>
diff --git a/src/pfwbged/policy/profiles/default/workflows/incomingmail_workflow/definition.xml b/src/pfwbged/policy/profiles/default/workflows/incomingmail_workflow/definition.xml
index 06e5a1b..d14842f 100644
--- a/src/pfwbged/policy/profiles/default/workflows/incomingmail_workflow/definition.xml
+++ b/src/pfwbged/policy/profiles/default/workflows/incomingmail_workflow/definition.xml
@@ -22,6 +22,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Manager</permission-role>
@@ -50,6 +51,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -81,6 +83,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -109,6 +112,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -138,6 +142,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
diff --git a/src/pfwbged/policy/upgrades/configure.zcml b/src/pfwbged/policy/upgrades/configure.zcml
index b2a920f..f801cc0 100644
--- a/src/pfwbged/policy/upgrades/configure.zcml
+++ b/src/pfwbged/policy/upgrades/configure.zcml
@@ -37,4 +37,21 @@
 
   </genericsetup:upgradeSteps>
 
+  <genericsetup:upgradeSteps
+      source="4"
+      destination="5"
+      profile="pfwbged.policy:default">
+
+      <genericsetup:upgradeStep
+          title="Incoming mail deletion permissions for admins"
+          description=""
+          handler=".workflow.incomingmail_deletion_permissions"
+           />
+
+      <genericsetup:upgradeDepends
+          title="Reimport workflows"
+          import_steps="workflow" />
+
+  </genericsetup:upgradeSteps>
+
 </configure>
diff --git a/src/pfwbged/policy/upgrades/workflow.py b/src/pfwbged/policy/upgrades/workflow.py
index cd845c0..d466db3 100644
--- a/src/pfwbged/policy/upgrades/workflow.py
+++ b/src/pfwbged/policy/upgrades/workflow.py
@@ -74,3 +74,27 @@ def update_refused_version_state(context):
                 overrideStatusOf(wf_id, version, old_state, new_state)
                 wf_def.updateRoleMappingsFor(version)
                 version.reindexObject(idxs=['allowedRolesAndUsers', 'review_state'])
+
+
+def refresh_workflow_permissions(context, workflow_id):
+    portal_workflow = api.portal.get_tool('portal_workflow')
+    portal_catalog = api.portal.get_tool('portal_catalog')
+    workflow = portal_workflow.getWorkflowById(workflow_id)
+    portal = api.portal.get()
+    folder_path = '/'.join(portal['documents'].getPhysicalPath())
+
+    for dx_type, wf_ids in portal_workflow._chains_by_type.items():
+        if workflow_id in wf_ids:
+            query = {'path': {
+                'query': folder_path},
+                'portal_type': dx_type}
+            results = portal_catalog.unrestrictedSearchResults(query)
+            for brain in results:
+                obj = brain.getObject()
+                workflow.updateRoleMappingsFor(obj)
+                obj.reindexObjectSecurity()
+                obj.reindexObject(idxs=['allowedRolesAndUsers'])
+
+
+def incomingmail_deletion_permissions(context):
+    refresh_workflow_permissions(context, "incomingmail_workflow")