From 0a6d80a9a984b1d573e23336b383823d10003fac Mon Sep 17 00:00:00 2001
From: tschorr <t_schorr@gmx.de>
Date: Tue, 16 Oct 2018 13:14:16 +0200
Subject: [PATCH 1/4] show only local roles when inherit=False

---
 src/plone/api/group.py            | 11 ++++-------
 src/plone/api/tests/test_group.py | 29 +++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/src/plone/api/group.py b/src/plone/api/group.py
index a7b4b43c..be8d50f3 100644
--- a/src/plone/api/group.py
+++ b/src/plone/api/group.py
@@ -216,6 +216,8 @@ def get_roles(groupname=None, group=None, obj=None, inherit=True):
     :type group: GroupData object
     :param obj: If obj is set then return local roles on this context.
     :type obj: content object
+    :param inherit: Show only local roles if False
+    :type inherit: boolean
     :raises:
         ValueError
     :Example: :ref:`group_get_roles_example`
@@ -239,17 +241,12 @@ def get_roles(groupname=None, group=None, obj=None, inherit=True):
     else:
         # get only the local roles on a object
         # same as above we use the PloneUser version of getRolesInContext.
-        # Include roles inherited from being the member of a group
-        # and from adapters granting local roles
-        plone_user = super(group.__class__, group)
-        principal_ids = list(plone_user.getGroups())
-        principal_ids.insert(0, plone_user.getId())
+        # Include roles from adapters granting local roles
         roles = set([])
         pas = portal.get_tool('acl_users')
         for _, lrmanager in pas.plugins.listPlugins(ILocalRolesPlugin):
             for adapter in lrmanager._getAdapters(obj):
-                for principal_id in principal_ids:
-                    roles.update(adapter.getRoles(principal_id))
+                roles.update(adapter.getRoles(group_id))
         return list(roles)
 
 
diff --git a/src/plone/api/tests/test_group.py b/src/plone/api/tests/test_group.py
index 8c96ec95..e2dc59dc 100644
--- a/src/plone/api/tests/test_group.py
+++ b/src/plone/api/tests/test_group.py
@@ -775,3 +775,32 @@ def test_revoke_roles_in_context(self):
             ROLES,
             set(api.group.get_roles(group=group, obj=document)),
         )
+
+    def test_local_roles_no_inheritance(self):
+        """Test possibility to disregard roles
+        for inherited groups."""
+        api.group.create(groupname='ploneboat')
+        portal = api.portal.get()
+        folder = api.content.create(
+            container=portal,
+            type='Folder',
+            id='folder_one',
+            title='Folder One',
+        )
+        document = api.content.create(
+            container=folder,
+            type='Document',
+            id='document_one',
+            title='Document One',
+        )
+        api.group.grant_roles(
+            groupname='ploneboat',
+            roles=['Reviewer', 'Editor'],
+            obj=document,
+        )
+        document.manage_setLocalRoles(
+            'AuthenticatedUsers', ('Reader',))
+        self.assertNotIn(
+            'Reader',
+            api.group.get_roles(groupname='ploneboat', inherit=False, obj=document)
+        )

From 488c2fc2de833dc3c52b610a20430023f2645738 Mon Sep 17 00:00:00 2001
From: tschorr <t_schorr@gmx.de>
Date: Tue, 16 Oct 2018 13:16:26 +0200
Subject: [PATCH 2/4] update changelog

---
 CHANGES.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 61f18ded..46506aa9 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -14,7 +14,8 @@ New features:
 
 Bug fixes:
 
-- *add item here*
+- Show only local roles when inherit=False.
+  [tschorr]
 
 
 1.9.0 (2018-09-27)
@@ -34,7 +35,7 @@ Bug fixes:
 - Removed allow-hosts from base.cfg, so we can use the new pypi warehouse.
   Refs https://github.com/plone/plone.api/issues/403
   [jaroel]
-  
+
 - fix typos in doc strings
   [tkimnguyen]
 

From ab6e9bdfc3e99aef0262b165c65b9973fa7dce3c Mon Sep 17 00:00:00 2001
From: tschorr <t_schorr@gmx.de>
Date: Tue, 16 Oct 2018 13:26:40 +0200
Subject: [PATCH 3/4] PEP8

---
 src/plone/api/tests/test_group.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/plone/api/tests/test_group.py b/src/plone/api/tests/test_group.py
index e2dc59dc..94574f31 100644
--- a/src/plone/api/tests/test_group.py
+++ b/src/plone/api/tests/test_group.py
@@ -802,5 +802,6 @@ def test_local_roles_no_inheritance(self):
             'AuthenticatedUsers', ('Reader',))
         self.assertNotIn(
             'Reader',
-            api.group.get_roles(groupname='ploneboat', inherit=False, obj=document)
+            api.group.get_roles(
+                groupname='ploneboat', inherit=False, obj=document),
         )

From 96e4e48494d4efd684f3033609bfd75f30962b0d Mon Sep 17 00:00:00 2001
From: tschorr <t_schorr@gmx.de>
Date: Tue, 16 Oct 2018 14:10:51 +0200
Subject: [PATCH 4/4] PEP8

---
 src/plone/api/tests/test_group.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/plone/api/tests/test_group.py b/src/plone/api/tests/test_group.py
index 94574f31..907973e3 100644
--- a/src/plone/api/tests/test_group.py
+++ b/src/plone/api/tests/test_group.py
@@ -798,10 +798,8 @@ def test_local_roles_no_inheritance(self):
             roles=['Reviewer', 'Editor'],
             obj=document,
         )
-        document.manage_setLocalRoles(
-            'AuthenticatedUsers', ('Reader',))
+        document.manage_setLocalRoles('AuthenticatedUsers', ('Reader',))
         self.assertNotIn(
             'Reader',
-            api.group.get_roles(
-                groupname='ploneboat', inherit=False, obj=document),
+            api.group.get_roles(groupname='ploneboat', inherit=False, obj=document),  # noqa: E501
         )