better permissioncheck for accountpanel forms

[thet]

Check the permission for the Object tab on the AccountPanelForm as configured in ZCML. This allows to revoke access to individual forms by changing the permissions via ZCML overrides.

[rnixx]

I like the idea of checking the permission the views are registered for.

Anyway, in the long run a TTW + GS configurable version would be more appropriate. This could be achieved by adding registry settings for defining these permissions as well as overriding the call function of the effected views and add manual security check there.

-r

[thet]

the idea was, that the persmission check should be done against the permissions the views are registered for. otherwise, we end up with defining permissions redundantly and having to change them in a lot of different places, as it was the case here.

it would be nice to define the possible objecttabs not hardcoded but either in portal actions or in registry. looks like, they were actually at some point defined in actions.xml, but can't find the commit for that nor why this was removed.

for the registry, this would need a PLIP, as it introduces a new way of configuring core components. we would need a schema, which could be modeled after the available portal_actions properties and upgrade paths from portal_actions based configurations to the registry one.

[jensens]

+1 to merge it. It can be refactored in future (if someone needs i), but this solution works and help to not expose permission denied pages to users.

[thet]

thanks! deleted the branch, which isn't needed anymore.