A limited admin, an administrator and a manager can always remove a watcher from an object.

Author: elioschmutz

changes/TI-1935.feature

@@ -0,0 +1 @@
+A limited admin, an administrator and a manager can always remove a watcher from an object. [elioschmutz]

opengever/api/permissions.zcml

@@ -8,5 +8,6 @@
   <permission id="opengever.api.ManageGroups" title="opengever.api: Manage Groups" />
   <permission id="opengever.api.NotifyArbitraryUsers" title="opengever.api: Notify Arbitrary Users" />
   <permission id="opengever.api.AccessErrorLog" title="opengever.api: Access error log" />
+  <permission id="opengever.api.RemoveAnyWatcher" title="opengever.api: Remove any watcher" />
 
 </configure>

opengever/api/tests/test_watchers.py

@@ -851,24 +851,77 @@ def test_delete_raises_forbidden_if_not_allowed(self):
 
     def test_can_delete_returns_true_for_current_user(self):
         self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.regular_user.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
+
+    def test_can_delete_returns_true_if_actor_has_watcher_role(self):
+        self.login(self.regular_user)
+        center = notification_center()
+
+        # No one is watching with the WATCHER_ROLE
+        self.assertItemsEqual(
+            [],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+        # But with other roles
+        self.assertItemsEqual(
+            [self.regular_user.getId(), self.dossier_responsible.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task)]
+        )
+
+        # Delete should not be possible because the WATCHER_ROLE is missing for the user
+        self.assertFalse(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
+
+        center.add_watcher_to_resource(self.task, self.regular_user.getId(), WATCHER_ROLE)
+
+        self.assertItemsEqual(
+            [self.regular_user.getId()],
+            [watcher.actorid for watcher in center.get_watchers(self.task, WATCHER_ROLE)]
+        )
+
+        # Now it's possible because the user is watching with the required role
         self.assertTrue(WatcherDeleter(self.task).can_delete(self.regular_user.getId()))
 
     def test_can_delete_returns_true_for_groups(self):
         self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, 'fa_users', WATCHER_ROLE)
+
         self.assertTrue(WatcherDeleter(self.task).can_delete('fa_users'))
 
     def test_can_delete_returns_false_for_foreign_actors_as_editor(self):
         self.login(self.regular_user)
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
         self.assertFalse(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
 
-    def test_can_delete_returns_false_for_foreign_actors_as_limited_admin(self):
+    def test_can_delete_returns_true_for_foreign_actors_as_limited_admin(self):
         self.login(self.limited_admin)
-        self.assertFalse(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
 
-    def test_can_delete_returns_false_for_foreign_actors_as_administrator(self):
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+    def test_can_delete_returns_true_for_foreign_actors_as_administrator(self):
         self.login(self.administrator)
-        self.assertFalse(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
 
-    def test_can_delete_returns_false_for_foreign_actors_as_manager(self):
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+    def test_can_delete_returns_true_for_foreign_actors_as_manager(self):
         self.login(self.manager)
-        self.assertFalse(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))
+
+        center = notification_center()
+        center.add_watcher_to_resource(self.task, self.dossier_responsible.getId(), WATCHER_ROLE)
+
+        self.assertTrue(WatcherDeleter(self.task).can_delete(self.dossier_responsible.getId()))

opengever/api/watchers.py

@@ -98,9 +98,20 @@ class WatcherDeleter(object):
 
     def __init__(self, context):
         self.context = context
+        self.center = notification_center()
 
     def can_delete(self, actor_id):
-        # The user can always remove itslef
+        watchers = self.center.get_watchers(self.context, WATCHER_ROLE)
+
+        # Delete watcher is only possible for the WATCHER_ROLE
+        if actor_id not in [watcher.actorid for watcher in watchers]:
+            return False
+
+        # Always allow depending on a permission
+        if api.user.has_permission('opengever.api: Remove any watcher', obj=self.context):
+            return True
+
+        # The user can always remove itself
         if actor_id == api.user.get_current().getId():
             return True
 

opengever/base/monkey/patches/readonly.py

@@ -230,6 +230,7 @@ def getRolesInContext(self, context):
     'opengever.api: Manage Role Assignment Reports',
     'opengever.api: Notify Arbitrary Users',
     'opengever.api: Transfer Assignment',
+    'opengever.api: Remove any watcher',
     'opengever.contact: Edit team',
     'opengever.disposition: Edit transfer number',
     'opengever.document: Cancel',

opengever/core/lawgiver.zcml

@@ -233,6 +233,7 @@
                    opengever.api: Manage Groups,
                    opengever.api: Manage Role Assignment Reports,
                    opengever.api: Notify Arbitrary Users,
+                   opengever.api: Remove any watcher,
                    opengever.api: Transfer Assignment,
                    opengever.api: View AllowedRolesAndPrincipals,
                    opengever.bumblebee: Revive Preview,

opengever/core/profiles/default/rolemap.xml

@@ -454,6 +454,12 @@
       <role name="Reviewer" />
     </permission>
 
+    <permission name="opengever.api: Remove any watcher" acquire="True">
+      <role name="Manager" />
+      <role name="Administrator" />
+      <role name="LimitedAdmin" />
+    </permission>
+
   </permissions>
 
 </rolemap>

opengever/core/upgrades/20250605111905_add_remove_any_watcher_permission/__init__.py

@@ -0,0 +1,9 @@
+<rolemap>
+  <permissions>
+    <permission name="opengever.api: Remove any watcher" acquire="True">
+      <role name="Manager" />
+      <role name="Administrator" />
+      <role name="LimitedAdmin" />
+    </permission>
+  </permissions>
+</rolemap>

opengever/core/upgrades/20250605111905_add_remove_any_watcher_permission/rolemap.xml

@@ -0,0 +1,9 @@
+from ftw.upgrade import UpgradeStep
+
+
+class AddRemoveAnyWatcherPermission(UpgradeStep):
+    """Add remove any watcher permission.
+    """
+
+    def __call__(self):
+        self.install_upgrade_profile()