Fix Incoming mail (and related content types) deletion permissions for admins

src/pfwbged/policy/profiles/default/metadata.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <metadata>
-  <version>4</version>
+  <version>5</version>
   <dependencies>
     <dependency>profile-collective.dms.basecontent:default</dependency>
     <dependency>profile-collective.dms.batchimport:default</dependency>

src/pfwbged/policy/profiles/default/workflows/incomingmail_workflow/definition.xml

@@ -22,6 +22,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Manager</permission-role>
@@ -50,6 +51,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -81,6 +83,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -109,6 +112,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>
@@ -138,6 +142,7 @@
    <permission-role>Site Administrator</permission-role>
   </permission-map>
   <permission-map name="Delete objects" acquired="False">
+   <permission-role>Manager</permission-role>
   </permission-map>
   <permission-map name="Modify portal content" acquired="False">
    <permission-role>Editor</permission-role>

src/pfwbged/policy/upgrades/configure.zcml

@@ -37,4 +37,21 @@
 
   </genericsetup:upgradeSteps>
 
+  <genericsetup:upgradeSteps
+      source="4"
+      destination="5"
+      profile="pfwbged.policy:default">
+
+      <genericsetup:upgradeStep
+          title="Incoming mail deletion permissions for admins"
+          description=""
+          handler=".workflow.incomingmail_deletion_permissions"
+           />
+
+      <genericsetup:upgradeDepends
+          title="Reimport workflows"
+          import_steps="workflow" />
+
+  </genericsetup:upgradeSteps>
+
 </configure>

src/pfwbged/policy/upgrades/workflow.py

@@ -74,3 +74,27 @@ def update_refused_version_state(context):
                 overrideStatusOf(wf_id, version, old_state, new_state)
                 wf_def.updateRoleMappingsFor(version)
                 version.reindexObject(idxs=['allowedRolesAndUsers', 'review_state'])
+
+
+def refresh_workflow_permissions(context, workflow_id):
+    portal_workflow = api.portal.get_tool('portal_workflow')
+    portal_catalog = api.portal.get_tool('portal_catalog')
+    workflow = portal_workflow.getWorkflowById(workflow_id)
+    portal = api.portal.get()
+    folder_path = '/'.join(portal['documents'].getPhysicalPath())
+
+    for dx_type, wf_ids in portal_workflow._chains_by_type.items():
+        if workflow_id in wf_ids:
+            query = {'path': {
+                'query': folder_path},
+                'portal_type': dx_type}
+            results = portal_catalog.unrestrictedSearchResults(query)
+            for brain in results:
+                obj = brain.getObject()
+                workflow.updateRoleMappingsFor(obj)
+                obj.reindexObjectSecurity()
+                obj.reindexObject(idxs=['allowedRolesAndUsers'])
+
+
+def incomingmail_deletion_permissions(context):
+    refresh_workflow_permissions(context, "incomingmail_workflow")