From 212332d7fbaa8e86f8e0a1df5388f724b7c93446 Mon Sep 17 00:00:00 2001
From: Manuel Reinhardt <reinhardt@syslab.com>
Date: Wed, 23 Oct 2024 16:02:38 +0200
Subject: [PATCH] Reindex managerRolesAndUsers recursively when managing ldap
 users.

Ref syslabcom/scrum#2640
---
 docs/changes.rst                              |  4 +++-
 .../oira/content/browser/manage_ldap_users.py | 21 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/docs/changes.rst b/docs/changes.rst
index 7db164ef..b994bc90 100644
--- a/docs/changes.rst
+++ b/docs/changes.rst
@@ -4,7 +4,9 @@ Changelog
 10.0.3 (unreleased)
 -------------------
 
-- Nothing changed yet.
+- Also update admin index for sectors and tools when managing ldap users. 
+  (`#2640 <https://github.com/syslabcom/scrum/issues/2640>`_)
+  [reinhardt]
 
 
 10.0.2 (2024-10-18)
diff --git a/src/osha/oira/content/browser/manage_ldap_users.py b/src/osha/oira/content/browser/manage_ldap_users.py
index e4a6469d..91d0d732 100644
--- a/src/osha/oira/content/browser/manage_ldap_users.py
+++ b/src/osha/oira/content/browser/manage_ldap_users.py
@@ -3,6 +3,11 @@
 from plone.memoize.view import memoize_contextless
 from Products.Five import BrowserView
 
+import logging
+
+
+logger = logging.getLogger(__name__)
+
 
 class BaseManageLDAPUsersView(BrowserView):
     _roles = set()
@@ -67,6 +72,20 @@ def revoke_roles(self, user):
             obj=self.context,
         )
 
+    def reindex_manager_roles(self, obj):
+        """Reindex `managerRolesAndUsers` index for `obj` and its contents recursively.
+        Based on Products.CMFCore.CMFCatalogAware.CatalogAware.reindexObjectSecurity
+        """
+        catalog = api.portal.get_tool("portal_catalog")
+        path = "/".join(obj.getPhysicalPath())
+        for brain in catalog.unrestrictedSearchResults(path=path):
+            try:
+                ob = brain._unrestrictedGetObject()
+            except (AttributeError, KeyError):
+                # don't fail on catalog inconsistency
+                continue
+            ob.reindexObject(idxs=["managerRolesAndUsers"])
+
     def maybe_manage_local_roles(self):
         """Check the request and see if we should mange some user local
         roles."""
@@ -83,7 +102,7 @@ def maybe_manage_local_roles(self):
             self.grant_roles(user)
         elif ldap_action == "revoke":
             self.revoke_roles(user)
-        self.context.reindexObject(idxs=["managerRolesAndUsers"])
+        self.reindex_manager_roles(self.context)
 
     def __call__(self):
         self.maybe_manage_local_roles()