From 1139441ea0946c0251a41341eaceb02f9dc01372 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 11 Oct 2011 10:36:06 -0400
Subject: [PATCH] previewdoc: do not use @@downloadurl, to avoid
 content-disposition being set

---
 themis/fields/widgets.py   | 50 +++++++++++++++++++++++++++++++++++---
 themis/fields/widgets.zcml |  6 +++++
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/themis/fields/widgets.py b/themis/fields/widgets.py
index 2a0e2e5..25ae6aa 100644
--- a/themis/fields/widgets.py
+++ b/themis/fields/widgets.py
@@ -1,4 +1,8 @@
+from AccessControl import getSecurityManager
+from AccessControl import ClassSecurityInfo
+
 from Acquisition import ImplicitAcquisitionWrapper
+from Acquisition.interfaces import IAcquirer
 
 from zope.interface import implements, implementsOnly, implementer
 from zope.component import adapts, adapter
@@ -10,6 +14,8 @@ from z3c.form.widget import Widget, FieldWidget
 from collective.z3cform.datetimewidget import DateWidget
 
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
+from Products.Five.browser import BrowserView
+
 
 from z3c.form.converter import BaseDataConverter
 
@@ -350,6 +356,9 @@ def PreviewDocFieldWidget(field, request):
 class PreviewDocWidget(Widget):
     implements(IPreviewDocWidget)
 
+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
+
     def width(self):
         if hasattr(self.field, 'width'):
             return self.field.width
@@ -369,9 +378,8 @@ class PreviewDocWidget(Widget):
     def href(self):
         if not hasattr(self.context, self.get_attribute_name()):
             return None
-        if getattr(self.context, self.get_attribute_name()):
-            return self.form.widgets[self.get_attribute_name()].download_url
-        return None
+        form_url = self.request.getURL()
+        return "%s/++widget++%s/@@file" % (form_url, self.name)
 
     def filename(self):
         if not hasattr(self.context, self.get_attribute_name()):
@@ -382,3 +390,39 @@ class PreviewDocWidget(Widget):
             return 'unknown.pdf'
         return ''
 
+class PreviewDocFile(BrowserView):
+
+    def validate_access(self):
+        # copied from autocompletewidget
+
+        content = self.context.form.context
+
+        # If the object is not wrapped in an acquisition chain
+        # we cannot check any permission.
+        if not IAcquirer.providedBy(content):
+            return
+
+        url = self.request.getURL()
+        view_name = url[len(content.absolute_url()):].split('/')[1]
+
+        # May raise Unauthorized
+
+        # If the view is 'edit', then traversal prefers the view and
+        # restrictedTraverse prefers the edit() method present on most CMF
+        # content. Sigh...
+        if not view_name.startswith('@@') and not view_name.startswith('++'):
+            view_name = '@@' + view_name
+
+        view_instance = content.restrictedTraverse(view_name)
+        sm = getSecurityManager()
+        sm.validate(content, content, view_name, view_instance)
+
+
+    def __call__(self):
+        self.validate_access()
+        file = getattr(self.context.context, self.context.get_attribute_name())
+        if file.contentType:
+            self.request.response.setHeader('Content-type', file.contentType)
+        else:
+            self.request.response.setHeader('Content-type', 'application/octet-stream')
+        return file.data
diff --git a/themis/fields/widgets.zcml b/themis/fields/widgets.zcml
index d454f71..78510a6 100644
--- a/themis/fields/widgets.zcml
+++ b/themis/fields/widgets.zcml
@@ -105,4 +105,10 @@
        layer="z3c.form.interfaces.IFormLayer"
        template="previewdoc_display.pt"/>
 
+    <browser:page
+       name="file"
+       for=".widgets.IPreviewDocWidget"
+       permission="zope.Public"
+       class=".widgets.PreviewDocFile"/>
+
 </configure>