Plone.app.workflow

------------------

- Keep the icons for inherited and global roles when updating the sharing
page after a search. This fixes http://dev.plone.org/plone/ticket/8313 .
[wichert]

- Sort the principals in the sharing page. Before they could reorder
randomly when saving changes.
[wichert]

- Fix a logic error in sharing page view: role changes would appear to be
lost when saving a view, while the were really applied. This fixes
http://dev.plone.org/plone/ticket/8295 .
[wichert]

------------------

- Modify the inline (kss) search option in the sharing page to only search
and not update the roles and search. This behaviour was unintuitive and
possible very very slow.
[wichert]

- Update the sharing page to do nothing if the new set of roles is the
same as the current set of roles.
[wichert]

- Update sharing code to only reindex once instead of twice.
[wichert]

- Only call reindexObjectSecurity from the sharing tab's update_inherit method
if the setting actually changed. This avoids an unnecessary, potentially
expensive catalog reindex in many cases.
[davisagli]

- Update the search-result merging code based on the code from PlonePAS 3.6.
[wichert]

- Handle principals which can not be retrieved. This can occur in LDAP
environments.
[wichert]

- Mark the security names as public so they can be imported everywhere
and register them with Zope on startup so you can manage them via the
ZMI or a GenericSetup profile.
[wichert]

------------------

- Protect the "sharing" form against CSRF attacks.
[witsch]

------------------

- Created fine-grained permissions for delegating sharing page roles in
order to avoid people with a delegated permission escalating their own
privileges. This can now be controlled at a high level by the
"Sharing page: Delegate roles" permission, which controls access to the
Sharing page machinery, and at an individual roles basis, with
permissions like "Sharing page: Delegate Editor role".
http://dev.plone.org/plone/ticket/7652

- Stopped people from locking themselves out by disabling the ability
to edit their own roles.

- Added friendly "Changes saved" message.
http://dev.plone.org/plone/ticket/6966

- user_search_results() now searches in login name as well as fullname.
Fixes http://dev.plone.org/plone/ticket/6853
[erikrose]

- Factored up the duplicated logic from user_search_results() and
group_search_results() to form _principal_search_results().
[erikrose]

---

- Added missing closing head tag to sharing.pt. This closes
http://dev.plone.org/plone/ticket/7161.
[hannosch]