Fix unauthorized error when accessing immediate results entry view wi…

…th a client contact user (#2332) * Fix unauthorized error for immediate results entry * Changelog updated
senaite · Jun 8, 2023 · e1c6d96 · e1c6d96
1 parent 74e212d
commit e1c6d96
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 8 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,7 @@ Changelog
 2.5.0 (unreleased)
 ------------------
 
+- #2332 Fix unauthorized error when accessing immediate results entry view with a client contact user
 - #2295 Integrate new UID reference widget
 - #2315 Apply dynamic analyses specs for new added analyses
 - #2314 Display error for required fields without value in current language

diff --git a/src/bika/lims/browser/analysisrequest/add2.py b/src/bika/lims/browser/analysisrequest/add2.py
@@ -28,6 +28,7 @@
 from bika.lims import logger
 from bika.lims.api.analysisservice import get_calculation_dependencies_for
 from bika.lims.api.analysisservice import get_service_dependencies_for
+from bika.lims.api.security import check_permission
 from bika.lims.decorators import returns_json
 from bika.lims.interfaces import IAddSampleConfirmation
 from bika.lims.interfaces import IAddSampleFieldsFlush
@@ -48,6 +49,7 @@
 from Products.Five.browser import BrowserView
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
 from senaite.core.p3compat import cmp
+from senaite.core.permissions import TransitionMultiResults
 from zope.annotation.interfaces import IAnnotations
 from zope.component import getAdapters
 from zope.component import queryAdapter
@@ -1860,7 +1862,10 @@ def handle_redirect(self, uids, message):
         # Automatic label printing
         setup = api.get_setup()
         auto_print = self.is_automatic_label_printing_enabled()
-        immediate_results_entry = setup.getImmediateResultsEntry()
+        # Check if immediate results entry is enabled in setup and the current
+        # user has enough privileges to do so
+        multi_results = setup.getImmediateResultsEntry() and check_permission(
+            TransitionMultiResults, self.context)
         redirect_to = self.context.absolute_url()
 
         # UIDs of the new created samples
@@ -1882,7 +1887,7 @@ def handle_redirect(self, uids, message):
         elif auto_print and sample_uids:
             redirect_to = "{}/sticker?autoprint=1&items={}".format(
                 self.context.absolute_url(), sample_uids)
-        elif immediate_results_entry and sample_uids:
+        elif multi_results and sample_uids:
             redirect_to = "{}/multi_results?uids={}".format(
                 self.context.absolute_url(),
                 sample_uids)

diff --git a/src/senaite/core/adapters/sample.py b/src/senaite/core/adapters/sample.py
@@ -45,7 +45,7 @@ class WorkflowActionMultiResultsAdapter(RequestContextAware):
     def __call__(self, action, uids):
         """Redirects the user to the multi results form
         """
-        portal_url = api.get_url(api.get_portal())
-        url = "{}/samples/multi_results?uids={}".format(
-            portal_url, ",".join(uids))
+        context_url = api.get_url(self.context)
+        url = "{}/multi_results?uids={}".format(
+            context_url, ",".join(uids))
         return self.redirect(redirect_url=url)
diff --git a/src/senaite/core/browser/samples/configure.zcml b/src/senaite/core/browser/samples/configure.zcml
@@ -19,12 +19,22 @@
       permission="senaite.core.permissions.TransitionDispatchSample"
       layer="senaite.core.interfaces.ISenaiteCore" />
 
-  <!-- Multi results view -->
+  <!-- Multi results view
+
+       NOTE:
+
+       We use the permission `zope2.View` to allow client contacts with local
+       (shared) roles to access the view from the global samples listing.
+
+       Otherwise we would need to add a check in the samples listing view to
+       redirect the client contact into the right client context for each access,
+       which would probably have a negative impact on the performance.
+  -->
   <browser:page
       for="*"
       name="multi_results"
       class=".multi_results.MultiResultsView"
-      permission="senaite.core.permissions.TransitionMultiResults"
+      permission="zope2.View"
       layer="senaite.core.interfaces.ISenaiteCore" />
 
   <!-- Manage Sample Fields -->

diff --git a/src/senaite/core/browser/samples/multi_results.py b/src/senaite/core/browser/samples/multi_results.py
@@ -40,7 +40,6 @@ def __init__(self, context, request):
         super(MultiResultsView, self).__init__(context, request)
         self.context = context
         self.request = request
-        self.portal = api.get_portal()
 
     def __call__(self):
         return self.template()