diff --git a/CHANGES.rst b/CHANGES.rst index 61f18ded..46506aa9 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -14,7 +14,8 @@ New features: Bug fixes: -- *add item here* +- Show only local roles when inherit=False. + [tschorr] 1.9.0 (2018-09-27) @@ -34,7 +35,7 @@ Bug fixes: - Removed allow-hosts from base.cfg, so we can use the new pypi warehouse. Refs https://github.com/plone/plone.api/issues/403 [jaroel] - + - fix typos in doc strings [tkimnguyen] diff --git a/src/plone/api/group.py b/src/plone/api/group.py index a7b4b43c..be8d50f3 100644 --- a/src/plone/api/group.py +++ b/src/plone/api/group.py @@ -216,6 +216,8 @@ def get_roles(groupname=None, group=None, obj=None, inherit=True): :type group: GroupData object :param obj: If obj is set then return local roles on this context. :type obj: content object + :param inherit: Show only local roles if False + :type inherit: boolean :raises: ValueError :Example: :ref:`group_get_roles_example` @@ -239,17 +241,12 @@ def get_roles(groupname=None, group=None, obj=None, inherit=True): else: # get only the local roles on a object # same as above we use the PloneUser version of getRolesInContext. - # Include roles inherited from being the member of a group - # and from adapters granting local roles - plone_user = super(group.__class__, group) - principal_ids = list(plone_user.getGroups()) - principal_ids.insert(0, plone_user.getId()) + # Include roles from adapters granting local roles roles = set([]) pas = portal.get_tool('acl_users') for _, lrmanager in pas.plugins.listPlugins(ILocalRolesPlugin): for adapter in lrmanager._getAdapters(obj): - for principal_id in principal_ids: - roles.update(adapter.getRoles(principal_id)) + roles.update(adapter.getRoles(group_id)) return list(roles) diff --git a/src/plone/api/tests/test_group.py b/src/plone/api/tests/test_group.py index 8c96ec95..907973e3 100644 --- a/src/plone/api/tests/test_group.py +++ b/src/plone/api/tests/test_group.py @@ -775,3 +775,31 @@ def test_revoke_roles_in_context(self): ROLES, set(api.group.get_roles(group=group, obj=document)), ) + + def test_local_roles_no_inheritance(self): + """Test possibility to disregard roles + for inherited groups.""" + api.group.create(groupname='ploneboat') + portal = api.portal.get() + folder = api.content.create( + container=portal, + type='Folder', + id='folder_one', + title='Folder One', + ) + document = api.content.create( + container=folder, + type='Document', + id='document_one', + title='Document One', + ) + api.group.grant_roles( + groupname='ploneboat', + roles=['Reviewer', 'Editor'], + obj=document, + ) + document.manage_setLocalRoles('AuthenticatedUsers', ('Reader',)) + self.assertNotIn( + 'Reader', + api.group.get_roles(groupname='ploneboat', inherit=False, obj=document), # noqa: E501 + )