Allow SPV users to return protocol excerpt to proposal dossier

Author: Acrop146

docs/public/dev-manual/api/api_changelog.rst

@@ -13,6 +13,7 @@ Breaking Changes
 Other Changes
 ^^^^^^^^^^^^^
 - ``@membership-notes``: Add endpoint to update a note on a membership.
+- ``@ris-return-excerpt``: Add endpoint to allow users from spv to create a proposal excerpt in a dossier they do not have view permission in.
 
 
 2025.8.0 (2025-08-22)

docs/public/dev-manual/api/proposals.rst

@@ -159,3 +159,42 @@ Die Response ist eine Liste die für jede Beilage die folgenden Informationen zu
               "source": "dossier-1/proposal-1/document-76"
           }
       ]
+
+
+Protokollauszug im Antragsdossier ablegen
+=========================================
+
+Mit dem ``@ris-return-excerpt`` Endpoint können Protokollauszüge aus der SPV
+ins Antragsdossier eingereichtwerden. Der Endpoint erwartet als Pfad Parameter:
+
+- Mandant ID
+- relative Dossierpfad
+- Vermerk als String
+
+
+**Beispiel-Request**:
+
+   .. sourcecode:: http
+
+      POST ordnungssystem/dossier-1/document-1/@ris-return-excerpt HTTP/1.1
+      Accept: application/json
+
+      {
+        "target_admin_unit_id": "fd",
+        "target_dossier_relative_path": "ordnungssystem/dossier-1"
+      }
+
+**Beispiel-Response**:
+
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+        "path": "ordnungssystem/dossier-2/document-2",
+        "intid": 3,
+        "url": "http://gever.onegovgever.ch/fd/ordnungssystem/dossier-2/document-2",
+        "current_version_id": 1,
+      }

opengever/core/profiles/default/rolemap.xml

@@ -284,6 +284,12 @@
       <role name="Administrator" />
     </permission>
 
+    <!-- RIS -->
+    <permission name="opengever.ris: Return Excerpt" acquire="False">
+      <role name="Manager" />
+      <role name="Member" />
+    </permission>
+
     <!-- SHARING -->
     <permission name="Sharing page: Delegate Administrator role" acquire="True">
       <role name="Administrator" />

opengever/core/upgrades/20250924150922_add_ris_return_excerpt_permission/__init__ .py

@@ -0,0 +1,10 @@
+<rolemap>
+  <permissions>
+
+    <permission name="opengever.ris: Return Excerpt" acquire="True">
+      <role name="Manager" />
+      <role name="Member" />
+    </permission>
+
+  </permissions>
+</rolemap>

opengever/core/upgrades/20250924150922_add_ris_return_excerpt_permission/rolemap.xml

@@ -0,0 +1,9 @@
+from ftw.upgrade import UpgradeStep
+
+
+class AddRisReturnExcerptPermission(UpgradeStep):
+    """Add ris return excerpt permission.
+    """
+
+    def __call__(self):
+        self.install_upgrade_profile()

opengever/core/upgrades/20250924150922_add_ris_return_excerpt_permission/upgrade.py

@@ -1,8 +1,11 @@
 <configure
     xmlns="http://namespaces.zope.org/zope"
     xmlns:browser="http://namespaces.zope.org/browser"
+    xmlns:plone="http://namespaces.plone.org/plone"
     i18n_domain="opengever.ris">
 
+  <include package="plone.rest" file="meta.zcml" />
+
   <browser:page
       name="proposal_transition_controller"
       for="opengever.ris.proposal.IProposal"
@@ -38,4 +41,21 @@
       permission="cmf.ModifyPortalContent"
       />
 
+  <plone:service
+      name="@ris-return-excerpt"
+      for="opengever.document.document.IDocumentSchema"
+      method="POST"
+      factory="opengever.ris.browser.ris_excerpt.RISReturnExcerptService"
+      permission="opengever.ris.ReturnExcerpt"
+      layer="opengever.base.interfaces.IOpengeverBaseLayer"
+      />
+
+  <browser:page
+      name="receive-ris-return-excerpt"
+      for="opengever.dossier.behaviors.dossier.IDossierMarker"
+      class="opengever.ris.browser.ris_excerpt.RISReturnExcerptReceive"
+      permission="zope.Public"
+      layer="opengever.ogds.base.interfaces.IInternalOpengeverRequestLayer"
+      />
+
 </configure>

opengever/ris/browser/configure.zcml

@@ -0,0 +1,129 @@
+from Acquisition import aq_inContextOf
+from Acquisition import aq_inner
+from opengever.base.json_response import JSONResponse
+from opengever.base.security import elevated_privileges
+from opengever.base.transport import PrivilegedReceiveObject
+from opengever.base.transport import Transporter
+from plone import api
+from plone.protect.interfaces import IDisableCSRFProtection
+from plone.restapi.deserializer import json_body
+from plone.restapi.services import Service
+from z3c.relationfield.relation import RelationValue
+from zExceptions import BadRequest
+from zope.component import getUtility
+from zope.interface import alsoProvides
+from zope.intid.interfaces import IIntIds
+import json
+
+
+class RISReturnExcerptService(Service):
+
+    def reply(self):
+        alsoProvides(self.request, IDisableCSRFProtection)
+
+        if not api.user.has_permission("View", obj=self.context):
+            return JSONResponse(self.request).error("Forbidden", status=403).dump()
+
+        data = json_body(self.request) or {}
+        target_cid = data.get("target_admin_unit_id")
+        container_path = data.get("target_dossier_relative_path")
+        proposal_relative_path = data.get("proposal_relative_path")
+
+        if not target_cid or not container_path:
+            return (
+                JSONResponse(self.request)
+                .error(
+                    "Target admin_unit_id and dossier_url are required.",
+                    status=400,
+                )
+                .dump()
+            )
+
+        container_path = container_path.lstrip("/")
+
+        result = Transporter().transport_to(
+            obj=self.context,
+            target_cid=target_cid,
+            container_path=container_path,
+            view="receive-ris-return-excerpt",
+            proposal_relative_path=proposal_relative_path,
+            finalize=data.get("finalize", True),
+        )
+        return result
+
+
+class RISReturnExcerptReceive(PrivilegedReceiveObject):
+    """Receiver on the target dossier. Runs with elevated privileges."""
+
+    def __call__(self):
+        obj = self.receive()
+        portal = self.context.portal_url.getPortalObject()
+        portal_path = "/".join(portal.getPhysicalPath())
+
+        intids = getUtility(IIntIds)
+
+        data = {
+            "path": "/".join(obj.getPhysicalPath())[len(portal_path) + 1:],
+            "intid": intids.queryId(obj),
+            "url": obj.absolute_url(),
+            "current_version_id": obj.get_current_version_id(missing_as_zero=True),
+        }
+
+        self.request.response.setHeader("Content-type", "application/json")
+        return json.dumps(data)
+
+    @property
+    def container(self):
+        return self.context
+
+    def _traverse_relpath(self, relpath):
+        portal = api.portal.get()
+
+        rel = (relpath or "").lstrip("/")
+
+        if isinstance(rel, unicode):
+            rel = rel.encode("utf-8")
+        try:
+            return portal.unrestrictedTraverse(rel, default=None)
+        except Exception:
+            return None
+
+    def _is_within(self, container, obj):
+        return aq_inContextOf(aq_inner(obj), aq_inner(container))
+
+    def _link_as_excerpt(self, proposal, document):
+
+        if not hasattr(proposal, "excerpts"):
+            raise BadRequest("Proposal has no 'excerpts' field.")
+
+        proposal.excerpts = [RelationValue(getUtility(IIntIds).getId(document))]
+        proposal.reindexObject(idxs=["excerpts"])
+
+    def receive(self):
+        data = self.request.form or {}
+        proposal_path = data.get("proposal_relative_path")
+        finalize = data.get("finalize", True)
+
+        document = super(RISReturnExcerptReceive, self).receive()
+
+        if proposal_path:
+            proposal = self._traverse_relpath(proposal_path)
+
+            if proposal is None:
+                raise BadRequest("Invalid 'proposal_relative_path' (object not found).")
+
+            if not self._is_within(self.container, proposal):
+                raise BadRequest("The proposal is not located in the target dossier.")
+
+            self._link_as_excerpt(proposal, document)
+
+        if finalize:
+            try:
+                with elevated_privileges():
+                    api.content.transition(
+                        obj=document, transition="document-transition-finalize"
+                    )
+            except Exception:
+                pass
+
+        return document

opengever/ris/browser/ris_excerpt.py

@@ -4,4 +4,6 @@
 
   <permission id="opengever.ris.AddProposal" title="opengever.ris: Add Proposal" />
 
+  <permission id="opengever.ris.ReturnExcerpt" title="opengever.ris: Return Excerpt" />
+
 </configure>