Commit c3d34144 authored by Nicolas Delaby's avatar Nicolas Delaby

Test Security on Temp objects for connected and anonymous users


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@44631 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 8ccd5d04
...@@ -37,8 +37,10 @@ from Testing import ZopeTestCase ...@@ -37,8 +37,10 @@ from Testing import ZopeTestCase
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase,\ from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase,\
_getConversionServerDict _getConversionServerDict
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager
from Products.ERP5Type.tests.Sequence import SequenceList from Products.ERP5Type.tests.Sequence import SequenceList
from Products.ERP5Type.Base import Base from Products.ERP5Type.Base import Base
from Products.ERP5Type.Utils import convertToUpperCase
from zExceptions import BadRequest from zExceptions import BadRequest
from Products.ERP5Type.tests.backportUnittest import skip from Products.ERP5Type.tests.backportUnittest import skip
from Products.ERP5Type.Workflow import addWorkflowByType from Products.ERP5Type.Workflow import addWorkflowByType
...@@ -1015,7 +1017,6 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -1015,7 +1017,6 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
for permission in permission_list: for permission in permission_list:
manager_has_no_permission[permission] = () manager_has_no_permission[permission] = ()
from AccessControl import getSecurityManager
user = getSecurityManager().getUser() user = getSecurityManager().getUser()
try: try:
self.assertTrue(permission_list) self.assertTrue(permission_list)
...@@ -1192,15 +1193,48 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -1192,15 +1193,48 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
self.assertEquals(1, len(self.getPortal().portal_catalog( self.assertEquals(1, len(self.getPortal().portal_catalog(
translated_portal_type='Person', title='translate_table_test'))) translated_portal_type='Person', title='translate_table_test')))
def test_TempBasePublicMethods(self): def test_TemporaryObjectPublicMethodListForAnonymous(self):
# make sure TempBase methods 'edit' and 'setProperty' are actually public """make sure temporary object methods are actually public.
Thanks to owner role, even for Anonymous users
"""
self.logout() self.logout()
from Products.ERP5Type.Document import newTempBase organisation = self.portal.organisation_module.newContent(
from OFS.Traversable import guarded_getattr portal_type='Organisation',
tb = newTempBase(self.portal, '_temp_base') temp_object=True)
for name in ('edit', 'setProperty'): user = getSecurityManager().getUser()
self.assertTrue('Owner' in user.getRolesInContext(organisation))
from AccessControl.ZopeGuards import guarded_getattr
property_map_dict = organisation.propertyMap()
property_id_list = ('edit', 'setProperty', 'getProperty') + \
tuple(['get' + convertToUpperCase(property_map['id'])\
for property_map in property_map_dict])
for property_id in property_id_list:
# should not raise Unauthorized
guarded_getattr(organisation, property_id)
def test_TemporaryObjectPublicMethodList(self):
"""make sure temporary object methods are actually public.
Thanks to owner role.
"""
uf = self.getPortal().acl_users
uf._doAddUser('BOBBY', '', ['Member',], [])
user = uf.getUserById('BOBBY').__of__(uf)
newSecurityManager(None, user)
organisation = self.portal.organisation_module.newContent(
portal_type='Organisation',
temp_object=True)
user = getSecurityManager().getUser()
self.assertTrue('Owner' in user.getRolesInContext(organisation))
from AccessControl.ZopeGuards import guarded_getattr
property_map_dict = organisation.propertyMap()
property_id_list = ('edit', 'setProperty', 'getProperty') + \
tuple(['get' + convertToUpperCase(property_map['id'])\
for property_map in property_map_dict])
for property_id in property_id_list:
# should not raise Unauthorized # should not raise Unauthorized
edit = guarded_getattr(tb, name) guarded_getattr(organisation, property_id)
@skip("isIndexable is not designed to work like tested here, this test \ @skip("isIndexable is not designed to work like tested here, this test \
must be rewritten once we know how to handle correctly templates") must be rewritten once we know how to handle correctly templates")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment