Add @inherit service to get inherited behavior values (#1887)

* Add `@inherit` service to get inherited behavior values

* changelog

* Check view permission to prevent using this to read data that should be private

* Nest behaviors under inherit

* edit intro to docs

* Apply suggestions from code review

Co-authored-by: Steve Piercy <[email protected]>
Co-authored-by: Jens W. Klein <[email protected]>

---------

Co-authored-by: Steve Piercy <[email protected]>
Co-authored-by: Jens W. Klein <[email protected]>

Author: 3 people

Makefile

@@ -116,7 +116,7 @@ check: $(BIN_FOLDER)/tox ## Check and fix code base according to Plone standards
 
 .PHONY: test
 test: $(BIN_FOLDER)/zope-testrunner ## Run tests
-	$(BIN_FOLDER)/zope-testrunner --all --test-path=src -s plone.restapi
+	zope_i18n_compile_mo_files=True $(BIN_FOLDER)/zope-testrunner --all --test-path=src -s plone.restapi
 
 .PHONY: i18n
 i18n: $(BIN_FOLDER)/update_restapi_locales ## Update locales

docs/source/endpoints/index.md

@@ -31,6 +31,7 @@ email-notification
 email-send
 groups
 history
+inherit
 linkintegrity
 locking
 login

docs/source/endpoints/inherit.md

@@ -0,0 +1,57 @@
+---
+myst:
+  html_meta:
+    "description": "The inherit endpoint shows values inherited from content items higher in the hierarchy."
+    "property=og:description": "The inherit endpoint shows values inherited from content items higher in the hierarchy."
+    "property=og:title": "Inherit behaviors"
+    "keywords": "Plone, plone.restapi, REST, API, inherit, acquisition, behaviors"
+---
+
+(inherit-behaviors-label)=
+
+# Inherit behaviors
+
+Plone content is arranged in a hierarchy: a content item has a parent, which has its own parent, all the way up to the Plone site root.
+Together, all these parents are _ancestors_.
+
+The `@inherit` service makes it possible to access data from a behavior defined on one of these ancestors.
+
+```{tip}
+Inheriting behaviors is similar to the concept of {term}`acquisition` in Zope, but it doesn't happen automatically, so it's safer.
+```
+
+To use the service, send a `GET` request to the `@inherit` endpoint in the context of the content item that is the starting point for inheriting.
+Specify the `expand.inherit.behaviors` parameter as a comma-separated list of behaviors.
+
+```{eval-rst}
+..  http:example:: curl httpie python-requests
+    :request: ../../../src/plone/restapi/tests/http-examples/inherit_get.req
+```
+
+For each behavior, the service will find the closest ancestor which provides that behavior.
+The result includes `from` (the `@id` and `title` of the item from which values were inherited) and `data` (values for any fields that are part of the behavior).
+
+```{literalinclude} ../../../src/plone/restapi/tests/http-examples/inherit_get.resp
+:language: http
+```
+
+Ancestor items for which the current user lacks the `View` permission will be skipped.
+
+(inherit-behaviors-expansion-label)=
+
+## Expansion
+
+This endpoint can be used with the {doc}`../usage/expansion` mechanism which allows getting more information about a content item in one query, avoiding unnecessary requests.
+
+You can make a `GET` request for a content item, and include parameters to request `inherit` expansion for specific behaviors:
+
+```{eval-rst}
+..  http:example:: curl httpie python-requests
+    :request: ../../../src/plone/restapi/tests/http-examples/inherit_expansion.req
+```
+
+The response will include data from the `@inherit` endpoint within the `@components` property:
+
+```{literalinclude} ../../../src/plone/restapi/tests/http-examples/inherit_expansion.resp
+:language: http
+```

docs/source/usage/expansion.md

@@ -23,6 +23,7 @@ The following is a list of components that support expansion.
 -   {doc}`aliases <../endpoints/aliases>`
 -   {doc}`breadcrumbs <../endpoints/breadcrumbs>`
 -   {doc}`contextnavigation <../endpoints/contextnavigation>`
+-   {doc}`inherit <../endpoints/inherit>`
 -   {doc}`navigation <../endpoints/navigation>`
 -   {doc}`navroot <../endpoints/navroot>`
 -   {doc}`translations <../endpoints/translations>`

news/1887.feature

@@ -0,0 +1 @@
+Add a new endpoint, `@inherit`, for getting values from behaviors inherited from ancestors in the object hierarchy. @davisagli

src/plone/restapi/interfaces.py

@@ -32,6 +32,17 @@ def __init__(value, context):
         """Adapts value and a context"""
 
 
+class ISchemaSerializer(Interface):
+    """The schema serializer serializes all field values from a schema
+    into JSON-compatible Python data."""
+
+    def __init__(schema, context, request):
+        """Adapts schema, context, and request."""
+
+    def __call__():
+        """Returns JSON-compatible Python data."""
+
+
 class IFieldSerializer(Interface):
     """The field serializer multi adapter serializes the field value into
     JSON compatible python data.
@@ -41,7 +52,7 @@ def __init__(field, context, request):
         """Adapts field, context and request."""
 
     def __call__():
-        """Returns JSON compatible python data."""
+        """Returns JSON-compatible Python data."""
 
 
 class IPrimaryFieldTarget(Interface):

src/plone/restapi/serializer/configure.zcml

@@ -18,6 +18,8 @@
   <adapter factory=".summary.DefaultJSONSummarySerializer" />
   <adapter factory=".summary.SiteRootJSONSummarySerializer" />
 
+  <adapter factory=".schema.SerializeSchemaToJson" />
+
   <adapter factory=".dxfields.DefaultFieldSerializer" />
   <adapter factory=".dxfields.ChoiceFieldSerializer" />
   <adapter factory=".dxfields.CollectionFieldSerializer" />

src/plone/restapi/serializer/dxcontent.py

@@ -1,4 +1,3 @@
-from AccessControl import getSecurityManager
 from Acquisition import aq_inner
 from Acquisition import aq_parent
 from plone.app.contenttypes.interfaces import ILink
@@ -12,11 +11,13 @@
 from plone.restapi.interfaces import IFieldSerializer
 from plone.restapi.interfaces import IObjectPrimaryFieldTarget
 from plone.restapi.interfaces import IPrimaryFieldTarget
+from plone.restapi.interfaces import ISchemaSerializer
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.interfaces import ISerializeToJsonSummary
 from plone.restapi.serializer.converters import json_compatible
 from plone.restapi.serializer.expansion import expandable_elements
 from plone.restapi.serializer.nextprev import NextPrevious
+from plone.restapi.serializer.schema import check_permission as _check_permission
 from plone.restapi.serializer.utils import get_portal_type_title
 from plone.restapi.services.locking import lock_info
 from plone.rfc822.interfaces import IPrimaryFieldInfo
@@ -27,11 +28,9 @@
 from zope.component import ComponentLookupError
 from zope.component import getMultiAdapter
 from zope.component import queryMultiAdapter
-from zope.component import queryUtility
 from zope.interface import implementer
 from zope.interface import Interface
 from zope.schema import getFields
-from zope.security.interfaces import IPermission
 
 
 try:
@@ -75,8 +74,6 @@ def __init__(self, context, request):
         self.context = context
         self.request = request
 
-        self.permission_cache = {}
-
     def getVersion(self, version):
         if version == "current":
             return self.context
@@ -131,18 +128,10 @@ def __call__(self, version=None, include_items=True):
 
         # Insert field values
         for schema in iterSchemata(self.context):
-            read_permissions = mergedTaggedValueDict(schema, READ_PERMISSIONS_KEY)
-
-            for name, field in getFields(schema).items():
-                if not self.check_permission(read_permissions.get(name), obj):
-                    continue
-
-                # serialize the field
-                serializer = queryMultiAdapter(
-                    (field, obj, self.request), IFieldSerializer
-                )
-                value = serializer()
-                result[json_compatible(name)] = value
+            schema_serializer = getMultiAdapter(
+                (schema, obj, self.request), ISchemaSerializer
+            )
+            result.update(schema_serializer())
 
         target_url = getMultiAdapter(
             (self.context, self.request), IObjectPrimaryFieldTarget
@@ -160,19 +149,8 @@ def _get_workflow_state(self, obj):
         return review_state
 
     def check_permission(self, permission_name, obj):
-        if permission_name is None:
-            return True
-
-        if permission_name not in self.permission_cache:
-            permission = queryUtility(IPermission, name=permission_name)
-            if permission is None:
-                self.permission_cache[permission_name] = True
-            else:
-                sm = getSecurityManager()
-                self.permission_cache[permission_name] = bool(
-                    sm.checkPermission(permission.title, obj)
-                )
-        return self.permission_cache[permission_name]
+        # Here for backwards-compatibility
+        return _check_permission(permission_name, obj)
 
 
 @implementer(ISerializeToJson)
@@ -225,8 +203,6 @@ def __init__(self, context, request):
         self.context = context
         self.request = request
 
-        self.permission_cache = {}
-
     def __call__(self):
         primary_field_name = self.get_primary_field_name()
         if not primary_field_name:
@@ -266,19 +242,8 @@ def get_primary_field_name(self):
         return fieldname
 
     def check_permission(self, permission_name, obj):
-        if permission_name is None:
-            return True
-
-        if permission_name not in self.permission_cache:
-            permission = queryUtility(IPermission, name=permission_name)
-            if permission is None:
-                self.permission_cache[permission_name] = True
-            else:
-                sm = getSecurityManager()
-                self.permission_cache[permission_name] = bool(
-                    sm.checkPermission(permission.title, obj)
-                )
-        return self.permission_cache[permission_name]
+        # for backwards-compatibility
+        return _check_permission(permission_name, obj)
 
 
 @adapter(ILink, Interface)
@@ -288,8 +253,6 @@ def __init__(self, context, request):
         self.context = context
         self.request = request
 
-        self.permission_cache = {}
-
     def __call__(self):
         """
         If user can edit Link object, do not return remoteUrl

src/plone/restapi/serializer/schema.py

@@ -0,0 +1,60 @@
+from AccessControl import getSecurityManager
+from plone.autoform.interfaces import READ_PERMISSIONS_KEY
+from plone.restapi.interfaces import IFieldSerializer
+from plone.restapi.interfaces import ISchemaSerializer
+from plone.restapi.serializer.converters import json_compatible
+from plone.supermodel.utils import mergedTaggedValueDict
+from zope.component import adapter
+from zope.component import getMultiAdapter
+from zope.component import queryUtility
+from zope.interface import implementer
+from zope.interface import Interface
+from zope.interface.interfaces import IInterface
+from zope.schema import getFields
+from zope.security.interfaces import IPermission
+
+
+@adapter(IInterface, Interface, Interface)
+@implementer(ISchemaSerializer)
+class SerializeSchemaToJson:
+    """Serialize fields from a single schema, honoring read permissions."""
+
+    def __init__(self, schema, context, request):
+        self.context = context
+        self.request = request
+        self.schema = schema
+
+    def __call__(self):
+        result = {}
+
+        read_permissions = mergedTaggedValueDict(self.schema, READ_PERMISSIONS_KEY)
+        for name, field in getFields(self.schema).items():
+            if not check_permission(read_permissions.get(name), self.context):
+                continue
+            serializer = getMultiAdapter(
+                (field, self.context, self.request), IFieldSerializer
+            )
+            value = serializer()
+            result[json_compatible(name)] = value
+
+        return result
+
+
+def check_permission(permission_name, context) -> bool:
+    if permission_name is None:
+        return True
+
+    permission_cache = getattr(context, "_v_permission_cache", {})
+    if not permission_cache:
+        context._v_permission_cache = permission_cache
+
+    if permission_name not in permission_cache:
+        permission = queryUtility(IPermission, name=permission_name)
+        if permission is None:
+            permission_cache[permission_name] = True
+        else:
+            sm = getSecurityManager()
+            permission_cache[permission_name] = bool(
+                sm.checkPermission(permission.title, context)
+            )
+    return permission_cache[permission_name]

src/plone/restapi/serializer/site.py

@@ -1,31 +1,24 @@
-from AccessControl import getSecurityManager
 from importlib import import_module
-from plone.autoform.interfaces import READ_PERMISSIONS_KEY
 from plone.dexterity.utils import iterSchemata
 from plone.restapi.batching import HypermediaBatch
 from plone.restapi.bbb import IPloneSiteRoot
 from plone.restapi.blocks import iter_block_transform_handlers
 from plone.restapi.blocks import visit_blocks
 from plone.restapi.interfaces import IBlockFieldSerializationTransformer
-from plone.restapi.interfaces import IFieldSerializer
+from plone.restapi.interfaces import ISchemaSerializer
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.interfaces import ISerializeToJsonSummary
-from plone.restapi.serializer.converters import json_compatible
 from plone.restapi.serializer.dxcontent import get_allow_discussion_value
 from plone.restapi.serializer.dxcontent import update_with_working_copy_info
 from plone.restapi.serializer.expansion import expandable_elements
+from plone.restapi.serializer.schema import check_permission as _check_permission
 from plone.restapi.serializer.utils import get_portal_type_title
 from plone.restapi.services.locking import lock_info
-from plone.supermodel.utils import mergedTaggedValueDict
 from Products.CMFCore.utils import getToolByName
 from zope.component import adapter
 from zope.component import getMultiAdapter
-from zope.component import queryMultiAdapter
-from zope.component import queryUtility
 from zope.interface import implementer
 from zope.interface import Interface
-from zope.schema import getFields
-from zope.security.interfaces import IPermission
 
 import json
 
@@ -41,7 +34,6 @@ class SerializeSiteRootToJson:
     def __init__(self, context, request):
         self.context = context
         self.request = request
-        self.permission_cache = {}
 
     def _build_query(self):
         path = "/".join(self.context.getPhysicalPath())
@@ -88,20 +80,10 @@ def __call__(self, version=None):
 
             # Insert Plone Site DX root field values
             for schema in iterSchemata(self.context):
-                read_permissions = mergedTaggedValueDict(schema, READ_PERMISSIONS_KEY)
-
-                for name, field in getFields(schema).items():
-                    if not self.check_permission(
-                        read_permissions.get(name), self.context
-                    ):
-                        continue
-
-                    # serialize the field
-                    serializer = queryMultiAdapter(
-                        (field, self.context, self.request), IFieldSerializer
-                    )
-                    value = serializer()
-                    result[json_compatible(name)] = value
+                schema_serializer = getMultiAdapter(
+                    (schema, self.context, self.request), ISchemaSerializer
+                )
+                result.update(schema_serializer())
 
             # Insert locking information
             result.update({"lock": lock_info(self.context)})
@@ -133,19 +115,7 @@ def __call__(self, version=None):
         return result
 
     def check_permission(self, permission_name, obj):
-        if permission_name is None:
-            return True
-
-        if permission_name not in self.permission_cache:
-            permission = queryUtility(IPermission, name=permission_name)
-            if permission is None:
-                self.permission_cache[permission_name] = True
-            else:
-                sm = getSecurityManager()
-                self.permission_cache[permission_name] = bool(
-                    sm.checkPermission(permission.title, obj)
-                )
-        return self.permission_cache[permission_name]
+        return _check_permission(permission_name, obj)
 
     def serialize_blocks(self):
         # This is only for below 6