From 3265135c205cded8d0b6beff526045a9569e18a4 Mon Sep 17 00:00:00 2001
From: Ramon Bartl <rb@ridingbytes.com>
Date: Thu, 8 Jun 2023 12:34:51 +0200
Subject: [PATCH 1/2] Fix unauthorized error for immediate results entry

---
 src/bika/lims/browser/analysisrequest/add2.py     |  9 +++++++--
 src/senaite/core/adapters/sample.py               |  6 +++---
 src/senaite/core/browser/samples/configure.zcml   | 14 ++++++++++++--
 src/senaite/core/browser/samples/multi_results.py |  1 -
 4 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/bika/lims/browser/analysisrequest/add2.py b/src/bika/lims/browser/analysisrequest/add2.py
index f9c2f41882..ce92358da8 100644
--- a/src/bika/lims/browser/analysisrequest/add2.py
+++ b/src/bika/lims/browser/analysisrequest/add2.py
@@ -28,6 +28,7 @@
 from bika.lims import logger
 from bika.lims.api.analysisservice import get_calculation_dependencies_for
 from bika.lims.api.analysisservice import get_service_dependencies_for
+from bika.lims.api.security import check_permission
 from bika.lims.decorators import returns_json
 from bika.lims.interfaces import IAddSampleConfirmation
 from bika.lims.interfaces import IAddSampleFieldsFlush
@@ -48,6 +49,7 @@
 from Products.Five.browser import BrowserView
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
 from senaite.core.p3compat import cmp
+from senaite.core.permissions import TransitionMultiResults
 from zope.annotation.interfaces import IAnnotations
 from zope.component import getAdapters
 from zope.component import queryAdapter
@@ -1860,7 +1862,10 @@ def handle_redirect(self, uids, message):
         # Automatic label printing
         setup = api.get_setup()
         auto_print = self.is_automatic_label_printing_enabled()
-        immediate_results_entry = setup.getImmediateResultsEntry()
+        # Check if immediate results entry is enabled in setup and the current
+        # user has enough privileges to do so
+        multi_results = setup.getImmediateResultsEntry() and check_permission(
+            TransitionMultiResults, self.context)
         redirect_to = self.context.absolute_url()
 
         # UIDs of the new created samples
@@ -1882,7 +1887,7 @@ def handle_redirect(self, uids, message):
         elif auto_print and sample_uids:
             redirect_to = "{}/sticker?autoprint=1&items={}".format(
                 self.context.absolute_url(), sample_uids)
-        elif immediate_results_entry and sample_uids:
+        elif multi_results and sample_uids:
             redirect_to = "{}/multi_results?uids={}".format(
                 self.context.absolute_url(),
                 sample_uids)
diff --git a/src/senaite/core/adapters/sample.py b/src/senaite/core/adapters/sample.py
index 4ac8718468..917331e756 100644
--- a/src/senaite/core/adapters/sample.py
+++ b/src/senaite/core/adapters/sample.py
@@ -45,7 +45,7 @@ class WorkflowActionMultiResultsAdapter(RequestContextAware):
     def __call__(self, action, uids):
         """Redirects the user to the multi results form
         """
-        portal_url = api.get_url(api.get_portal())
-        url = "{}/samples/multi_results?uids={}".format(
-            portal_url, ",".join(uids))
+        context_url = api.get_url(self.context)
+        url = "{}/multi_results?uids={}".format(
+            context_url, ",".join(uids))
         return self.redirect(redirect_url=url)
diff --git a/src/senaite/core/browser/samples/configure.zcml b/src/senaite/core/browser/samples/configure.zcml
index dc58d16523..f09b660f1b 100644
--- a/src/senaite/core/browser/samples/configure.zcml
+++ b/src/senaite/core/browser/samples/configure.zcml
@@ -19,12 +19,22 @@
       permission="senaite.core.permissions.TransitionDispatchSample"
       layer="senaite.core.interfaces.ISenaiteCore" />
 
-  <!-- Multi results view -->
+  <!-- Multi results view
+
+       NOTE:
+
+       We use the permission `zope2.View` to allow client contacts with local
+       (shared) roles to access the view from the global samples listing.
+
+       Otherwise we would need to add a check in the samples listing view to
+       redirect the client contact into the right client context for each access,
+       which would probably have a negative impact on the performance.
+  -->
   <browser:page
       for="*"
       name="multi_results"
       class=".multi_results.MultiResultsView"
-      permission="senaite.core.permissions.TransitionMultiResults"
+      permission="zope2.View"
       layer="senaite.core.interfaces.ISenaiteCore" />
 
   <!-- Manage Sample Fields -->
diff --git a/src/senaite/core/browser/samples/multi_results.py b/src/senaite/core/browser/samples/multi_results.py
index f713642fff..70500c68e1 100644
--- a/src/senaite/core/browser/samples/multi_results.py
+++ b/src/senaite/core/browser/samples/multi_results.py
@@ -40,7 +40,6 @@ def __init__(self, context, request):
         super(MultiResultsView, self).__init__(context, request)
         self.context = context
         self.request = request
-        self.portal = api.get_portal()
 
     def __call__(self):
         return self.template()

From 3b57737bb9e26bce8301746b21ba7392779b68ee Mon Sep 17 00:00:00 2001
From: Ramon Bartl <rb@ridingbytes.com>
Date: Thu, 8 Jun 2023 12:42:04 +0200
Subject: [PATCH 2/2] Changelog updated

---
 CHANGES.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGES.rst b/CHANGES.rst
index 769cdc7606..d37d0e1458 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,7 @@ Changelog
 2.5.0 (unreleased)
 ------------------
 
+- #2332 Fix unauthorized error when accessing immediate results entry view with a client contact user
 - #2295 Integrate new UID reference widget
 - #2315 Apply dynamic analyses specs for new added analyses
 - #2314 Display error for required fields without value in current language