Make comment on private content not publicly available in search results.

This is part of PloneHotfix20161129.

Updated metadata.xml version to 1000.  This leaves more room for
profile version increases in earlier releases.  We apply the rolemap
step again to avoid accidentally missing it.

plone/app/discussion/tests/test_catalog.py

@@ -59,6 +59,10 @@ class ConversationCatalogTest(unittest.TestCase):
     def setUp(self):
         self.portal = self.layer['portal']
         setRoles(self.portal, TEST_USER_ID, ['Manager'])
+
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
         self.catalog = getToolByName(self.portal, 'portal_catalog')
         conversation = IConversation(self.portal.doc1)
         comment1 = createObject('plone.Comment')

plone/app/discussion/tests/test_comment.py

@@ -27,6 +27,9 @@ class CommentTest(unittest.TestCase):
         self.portal = self.layer['portal']
         self.request = self.layer['request']
 
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
         setRoles(self.portal, TEST_USER_ID, ['Manager'])
         self.catalog = getToolByName(self.portal, 'portal_catalog')
         self.document_brain = self.catalog.searchResults(
@@ -351,6 +354,9 @@ class RepliesTest(unittest.TestCase):
         self.portal = self.layer['portal']
         setRoles(self.portal, TEST_USER_ID, ['Manager'])
 
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
     def test_add_comment(self):
         # Add comments to a CommentReplies adapter
 

plone/app/discussion/tests/test_comments_viewlet.py

@@ -458,7 +458,7 @@ class TestCommentsViewlet(unittest.TestCase):
         )
 
         self.workflowTool = getToolByName(self.portal, 'portal_workflow')
-        self.workflowTool.setDefaultChain('one_state_workflow')
+        self.workflowTool.setDefaultChain('comment_one_state_workflow')
 
         self.membershipTool = getToolByName(self.folder, 'portal_membership')
         self.memberdata = self.portal.portal_memberdata

plone/app/discussion/tests/test_controlpanel.py

@@ -163,9 +163,9 @@ class ConfigurationChangedSubscriberTest(unittest.TestCase):
            the 'comment_moderation' setting in the discussion control panel
            changes.
         """
-        # By default the one_state_workflow without moderation is enabled
+        # By default the comment_one_state_workflow without moderation is enabled
         self.assertEqual(
-            ('one_state_workflow',),
+            ('comment_one_state_workflow',),
             self.portal.portal_workflow.getChainForPortalType(
                 'Discussion Item'
             )
@@ -185,7 +185,7 @@ class ConfigurationChangedSubscriberTest(unittest.TestCase):
         # And back
         self.settings.moderation_enabled = False
         self.assertEqual(
-            ('one_state_workflow',),
+            ('comment_one_state_workflow',),
             self.portal.portal_workflow.getChainForPortalType(
                 'Discussion Item'
             )
@@ -211,7 +211,7 @@ class ConfigurationChangedSubscriberTest(unittest.TestCase):
         # Enable the 'comment_review_workflow' with moderation enabled
         self.portal.portal_workflow.setChainForPortalTypes(
             ('Discussion Item',),
-            ('one_state_workflow',)
+            ('comment_one_state_workflow',)
         )
         self.settings.moderation_enabled = True
 

plone/app/discussion/tests/test_conversation.py

@@ -50,6 +50,9 @@ class ConversationTest(unittest.TestCase):
         settings = registry.forInterface(IDiscussionSettings)
         settings.globally_enabled = True
 
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
     def test_add_comment(self):
         # Create a conversation. In this case we doesn't assign it to an
         # object, as we just want to check the Conversation object API.
@@ -744,6 +747,9 @@ class RepliesTest(unittest.TestCase):
         self.portal = self.layer['portal']
         setRoles(self.portal, TEST_USER_ID, ['Manager'])
 
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
     def test_add_comment(self):
         # Add comments to a ConversationReplies adapter
 

plone/app/discussion/tests/test_indexers.py

@@ -35,6 +35,9 @@ class ConversationIndexersTest(unittest.TestCase):
         self.portal = self.layer['portal']
         setRoles(self.portal, TEST_USER_ID, ['Manager'])
 
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.portal.doc1, 'publish')
+
         # Create a conversation.
         conversation = IConversation(self.portal.doc1)
 

plone/app/discussion/tests/test_moderation_view.py

@@ -46,9 +46,9 @@ class ModerationViewTest(unittest.TestCase):
         # If workflow is not set, enabled must return False
         self.wf_tool.setChainForPortalTypes(('Discussion Item',), ())
         self.assertEqual(self.view.moderation_enabled(), False)
-        # The one_state_workflow does not have a 'pending' state
+        # The comment_one_state_workflow does not have a 'pending' state
         self.wf_tool.setChainForPortalTypes(('Discussion Item',),
-                                            ('one_state_workflow,'))
+                                            ('comment_one_state_workflow,'))
         self.assertEqual(self.view.moderation_enabled(), False)
         # The comment_review_workflow does have a 'pending' state
         self.wf_tool.setChainForPortalTypes(('Discussion Item',),

plone/app/discussion/tests/test_workflow.py

@@ -9,6 +9,7 @@ from plone.app.testing import login
 from plone.app.testing import logout
 from plone.app.testing import setRoles
 from plone.app.testing import TEST_USER_ID
+from plone.app.testing import TEST_USER_NAME
 from Products.CMFCore.permissions import View
 from Products.CMFCore.utils import _checkPermission as checkPerm
 from zope.component import createObject
@@ -35,7 +36,7 @@ class WorkflowSetupTest(unittest.TestCase):
     def test_workflows_installed(self):
         """Make sure both comment workflows have been installed properly.
         """
-        self.assertTrue('one_state_workflow' in
+        self.assertTrue('comment_one_state_workflow' in
                         self.portal.portal_workflow.objectIds())
         self.assertTrue('comment_review_workflow' in
                         self.portal.portal_workflow.objectIds())
@@ -44,7 +45,7 @@ class WorkflowSetupTest(unittest.TestCase):
         """Make sure one_state_workflow is the default workflow.
         """
         self.assertEqual(
-            ('one_state_workflow',),
+            ('comment_one_state_workflow',),
             self.portal.portal_workflow.getChainForPortalType(
                 'Discussion Item'
             )
@@ -102,7 +103,7 @@ class PermissionsSetupTest(unittest.TestCase):
 
 
 class CommentOneStateWorkflowTest(unittest.TestCase):
-    """Test the one_state_workflow that ships with plone.app.discussion.
+    """Test the comment_one_state_workflow that ships with plone.app.discussion.
     """
 
     layer = PLONE_APP_DISCUSSION_INTEGRATION_TESTING
@@ -114,8 +115,6 @@ class CommentOneStateWorkflowTest(unittest.TestCase):
         self.folder = self.portal['test-folder']
         self.catalog = self.portal.portal_catalog
         self.workflow = self.portal.portal_workflow
-        self.workflow.setChainForPortalTypes(['Document'],
-                                             'one_state_workflow')
         self.folder.invokeFactory('Document', 'doc1')
         self.doc = self.folder.doc1
 
@@ -137,10 +136,10 @@ class CommentOneStateWorkflowTest(unittest.TestCase):
         self.portal.acl_users._doAddUser('reader', 'secret', ['Reader'], [])
 
     def test_initial_workflow_state(self):
-        """Make sure the initial workflow state of a comment is 'published'.
+        """Make sure the initial workflow state of a comment is 'private'.
         """
         self.assertEqual(self.workflow.getInfoFor(self.doc, 'review_state'),
-                         'published')
+                         'private')
 
     def test_view_comments(self):
         """Make sure published comments can be viewed by everyone.
@@ -149,6 +148,10 @@ class CommentOneStateWorkflowTest(unittest.TestCase):
         # self.login(default_user)
         # self.assertTrue(checkPerm(View, self.doc))
         # Member is allowed
+        login(self.portal, TEST_USER_NAME)
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.doc, 'publish')
+
         login(self.portal, 'member')
         self.assertTrue(checkPerm(View, self.comment))
         # Reviewer is allowed
@@ -164,6 +167,30 @@ class CommentOneStateWorkflowTest(unittest.TestCase):
         login(self.portal, 'reader')
         self.assertTrue(checkPerm(View, self.comment))
 
+    def test_comment_on_private_content_not_visible_to_world(self):
+        logout()
+        self.assertFalse(checkPerm(View, self.comment))
+
+    def test_migration(self):
+        from plone.app.discussion.upgrades import upgrade_comment_workflows
+        # Fake permission according to earlier one_comment_workflow.
+        self.comment._View_Permission = ('Anonymous',)
+        # Anonymous can see the comment.
+        logout()
+        self.assertTrue(checkPerm(View, self.comment))
+        # Run the upgrade.
+        login(self.portal, TEST_USER_NAME)
+        upgrade_comment_workflows(self.portal.portal_setup)
+        # The workflow chain is still what we want.
+        self.assertEqual(
+            self.portal.portal_workflow.getChainFor('Discussion Item'),
+            ('comment_one_state_workflow',))
+        # A Manager can still see the comment.
+        self.assertTrue(checkPerm(View, self.comment))
+        # Anonymous cannot see the comment.
+        logout()
+        self.assertFalse(checkPerm(View, self.comment))
+
 
 class CommentReviewWorkflowTest(unittest.TestCase):
     """Test the comment_review_workflow that ships with plone.app.discussion.
@@ -269,3 +296,35 @@ class CommentReviewWorkflowTest(unittest.TestCase):
                 'review_state'
             )
         )
+
+    def test_publish_comment_on_private_content_not_visible_to_world(self):
+        logout()
+        self.assertFalse(checkPerm(View, self.comment))
+
+        # publish comment and check again
+        login(self.portal, TEST_USER_NAME)
+        workflow = self.portal.portal_workflow
+        workflow.doActionFor(self.comment, 'publish')
+
+        logout()
+        self.assertFalse(checkPerm(View, self.comment))
+
+    def test_migration(self):
+        from plone.app.discussion.upgrades import upgrade_comment_workflows
+        # Fake permission according to earlier comment_review_workflow.
+        self.comment._View_Permission = ('Anonymous',)
+        # Anonymous can see the comment.
+        logout()
+        self.assertTrue(checkPerm(View, self.comment))
+        # Run the upgrade.
+        login(self.portal, TEST_USER_NAME)
+        upgrade_comment_workflows(self.portal.portal_setup)
+        # The workflow chain is still what we want.
+        self.assertEqual(
+            self.portal.portal_workflow.getChainFor('Discussion Item'),
+            ('comment_review_workflow',))
+        # A Manager can still see the comment.
+        self.assertTrue(checkPerm(View, self.comment))
+        # Anonymous cannot see the comment.
+        logout()
+        self.assertFalse(checkPerm(View, self.comment))