From 0036c4ba850d79d5b9d3007e1a5ac94d00cfc0b0 Mon Sep 17 00:00:00 2001
From: Arnaud Fontaine <arnaud.fontaine@nexedi.com>
Date: Thu, 15 Aug 2013 20:47:00 +0900
Subject: [PATCH] ZODB Components: Only Manager or Developer Role should be
 able to access Component Tools and Components.

---
 product/ERP5Type/Tool/ComponentTool.py               | 10 +++++-----
 product/ERP5Type/tests/testDynamicClassGeneration.py |  6 ++++++
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/product/ERP5Type/Tool/ComponentTool.py b/product/ERP5Type/Tool/ComponentTool.py
index f6faa74dbf..c42d7f0a35 100644
--- a/product/ERP5Type/Tool/ComponentTool.py
+++ b/product/ERP5Type/Tool/ComponentTool.py
@@ -82,12 +82,12 @@ class ComponentTool(BaseTool):
         permission_function = lambda self: ('Manager',)
       elif permission_name in ('Change permissions', 'Define permissions'):
         permission_function = lambda self: ()
-      elif not (permission_name.startswith('Access ') or
-                permission_name.startswith('View') or
-                permission_name.startswith('WebDAV')):
-        permission_function = lambda self: ('Developer',)
+      elif (permission_name.startswith('Access ') or
+            permission_name.startswith('View') or
+            permission_name == 'WebDAV access'):
+        permission_function = lambda self: ('Developer', 'Manager')
       else:
-        continue
+        permission_function = lambda self: ('Developer',)
 
       setattr(cls, pname(permission_name), property(permission_function))
 
diff --git a/product/ERP5Type/tests/testDynamicClassGeneration.py b/product/ERP5Type/tests/testDynamicClassGeneration.py
index 3d5c825d66..555fddf5cd 100644
--- a/product/ERP5Type/tests/testDynamicClassGeneration.py
+++ b/product/ERP5Type/tests/testDynamicClassGeneration.py
@@ -1802,6 +1802,12 @@ def bar(*args, **kwargs):
 
     self.tic()
 
+    # Anonymous should not even be able to view/access Component Tool
+    self.failIfUserCanViewDocument(None, self._component_tool)
+    self.failIfUserCanAccessDocument(None, self._component_tool)
+    self.failIfUserCanViewDocument(None, component)
+    self.failIfUserCanAccessDocument(None, component)
+
     user_id = 'ERP5TypeTestCase'
 
     self.assertUserCanChangeLocalRoles(user_id, self._component_tool)
-- 
2.30.9