Only index a group if the role is allowed to view

product/ERP5Catalog/CatalogTool.py

@@ -133,14 +133,13 @@ class IndexableObjectWrapper(object):
         optimized_role_set = set()
         # First parse optimized roles and build optimized_role_set
         for role_definition_group, user_and_role_list in local_roles_group_id_group_id.items():
-          try:
-            group_allowed_set = allowed_by_local_roles_group_id[role_definition_group]
-          except KeyError:
-            allowed_by_local_roles_group_id[role_definition_group] = group_allowed_set = set()
+          group_allowed_set = allowed_by_local_roles_group_id.setdefault(
+            role_definition_group, set())
           for user, role in user_and_role_list:
-            prefix = 'user:' + user
-            group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))
-            optimized_role_set.add((user, role))
+            if role in allowed_role_set:
+              prefix = 'user:' + user
+              group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))
+              optimized_role_set.add((user, role))
 
         # Then parse other roles
         for user, roles in localroles.iteritems():
@@ -155,10 +154,8 @@ class IndexableObjectWrapper(object):
                 user_view_permission_role_dict[role] = user
             elif role in allowed_role_set:
               for group in local_roles_group_id_group_id.get(user, ('', )):
-                try:
-                  group_allowed_set = allowed_by_local_roles_group_id[group]
-                except KeyError:
-                   allowed_by_local_roles_group_id[group] = group_allowed_set = set()
+                group_allowed_set = allowed_by_local_roles_group_id.setdefault(
+                  group, set())
                 if (user, role) not in optimized_role_set:
                   # add only if not already added to optimized_role_set to avoid polluting indexation table
                   group_allowed_set.update((prefix, '%s:%s' % (prefix, role)))

product/ERP5Catalog/tests/testERP5CatalogSecurityUidOptimization.py

@@ -41,16 +41,18 @@ class TestERP5CatalogSecurityUidOptimization(ERP5TypeTestCase):
     bt5 to be installed in advance.
     XXX: Inherit from TestERP5Catalog so we test default and security_uid optmization with same tests.
   """
-    
   business_template_list = ['erp5_security_uid_innodb_catalog',
                             'erp5_full_text_myisam_catalog','erp5_base']
 
   def getBusinessTemplateList(self):
     return self.business_template_list
-    
+
   def afterSetUp(self):
     self.login()
     portal = self.getPortal()
+    group = portal.portal_categories.group
+    if 'g1' not in group.objectIds():
+      group.newContent(portal_type='Category', id='g1', codification='GROUP1')
 
   def test_local_roles_group_id_on_role_information(self):
     """Test usage of local_roles_group_id when searching catalog.
@@ -111,6 +113,13 @@ CREATE TABLE alternate_roles_and_users (
       role_base_category_script_id='ERP5Type_getSecurityCategoryFromSelf',
       role_base_category='agent',
       local_role_group_value=self.portal.portal_categories.local_role_group.Alternate.getRelativeUrl())
+    # add another role information that does not grant view permission
+    self.portal.portal_types.Person.newContent(
+      portal_type='Role Information',
+      role_name='Unknown',
+      role_category_list=('group/g1'),
+      role_base_category='group',
+      local_role_group_value=self.portal.portal_categories.local_role_group.Alternate.getRelativeUrl())
 
     self.portal.portal_caches.clearAllCache()
     self.tic()
@@ -119,21 +128,23 @@ CREATE TABLE alternate_roles_and_users (
       # create two persons and users
       user1 = self.portal.person_module.newContent(portal_type='Person',
         reference='user1')
-      user1.newContent(portal_type='Assignment').open()
+      user1.newContent(portal_type='Assignment', group='g1').open()
       user1.updateLocalRolesOnSecurityGroups()
       self.assertEquals(user1.__ac_local_roles__.get('user1'), ['Auditor'])
+      self.assertEquals(user1.__ac_local_roles__.get('GROUP1'), ['Unknown'])
 
       user2 = self.portal.person_module.newContent(portal_type='Person',
         reference='user2')
-      user2.newContent(portal_type='Assignment').open()
+      user2.newContent(portal_type='Assignment', group='g1').open()
       user2.updateLocalRolesOnSecurityGroups()
       self.assertEquals(user2.__ac_local_roles__.get('user2'), ['Auditor'])
+      self.assertEquals(user2.__ac_local_roles__.get('GROUP1'), ['Unknown'])
       self.tic()
 
       # security_uid_dict in catalog contains entries for user1 and user2:
       user1_alternate_security_uid = sql_catalog.security_uid_dict[
         ('Alternate', ('user:user1', 'user:user1:Auditor'))]
-      bob_alternate_security_uid = sql_catalog.security_uid_dict[
+      user2_alternate_security_uid = sql_catalog.security_uid_dict[
         ('Alternate', ('user:user2', 'user:user2:Auditor'))]
 
       # those entries are in alternate security table
@@ -143,7 +154,7 @@ CREATE TABLE alternate_roles_and_users (
                            alternate_security_uid=user1_alternate_security_uid) in
                       alternate_roles_and_users)
       self.assertTrue(dict(uid=user2.getUid(),
-                           alternate_security_uid=bob_alternate_security_uid) in
+                           alternate_security_uid=user2_alternate_security_uid) in
                       alternate_roles_and_users)
 
       # low level check of the security query of a logged in user
@@ -168,11 +179,14 @@ CREATE TABLE alternate_roles_and_users (
           local_roles='Auditor')])
 
       # searches still work for other users
+      self.login('user2')
+      self.assertEquals([user2],
+        [o.getObject() for o in self.portal.portal_catalog(portal_type='Person')])
+
       self.login('ERP5TypeTestCase')
       self.assertSameSet([user1, user2],
         [o.getObject() for o in
           self.portal.portal_catalog(portal_type='Person')])
-
     finally:
       # restore catalog configuration
       sql_catalog.sql_search_tables = current_sql_search_tables