testGUIwithSecurity.py 6.13 KB
Newer Older
1
# -*- coding: utf-8 -*-
2
##############################################################################
3 4
#
# Copyright (c) 2006 Nexedi SARL and Contributors. All Rights Reserved.
5
#          Bartek Górny <bartek@erp5.pl>
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsability of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# garantees and support are strongly adviced to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
##############################################################################


import unittest

from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
from AccessControl.SecurityManagement import newSecurityManager
from zLOG import LOG
from Products.ERP5Type.tests.Sequence import SequenceList
from Testing import ZopeTestCase
from DateTime import DateTime


class TestGUISecurity(ERP5TypeTestCase):
  """
  """
  quiet = 0
  run_all_test = 1

  def getBusinessTemplateList(self):
    return ('erp5_ui_test', 'erp5_base')

  def getTitle(self):
    return "Security Issues in GUI"

  def afterSetUp(self):
    self.login()

  def login(self):
    uf = self.getPortal().acl_users
    uf._doAddUser('seb', '', ['Manager'], [])
    user = uf.getUserById('seb').__of__(uf)
    newSecurityManager(None, user)

  def loginAs(self, id='user'):
    uf = self.getPortal().acl_users
Vincent Pelletier's avatar
Vincent Pelletier committed
64
    user = uf.getUser(id).__of__(uf)
65 66 67 68 69 70 71
    newSecurityManager(None, user)

  def stepCreateObjects(self, sequence = None, sequence_list = None, **kw):
    # Make sure that the status is clean.
    portal = self.getPortal()
    portal.ListBoxZuite_reset()
    message = portal.foo_module.FooModule_createObjects()
72
    self.assertTrue('Created Successfully' in message)
73 74
    if not hasattr(portal.person_module, 'user'):
      user = portal.person_module.newContent(portal_type='Person', id='user', reference='user')
75
      user.newContent(portal_type='ERP5 Login', reference='user').validate()
76 77 78 79
      asg = user.newContent(portal_type='Assignment')
      asg.setStartDate(DateTime() - 100)
      asg.setStopDate(DateTime() + 100)
      asg.open()
80
    self.commit()
81 82 83 84

  def stepCreateTestFoo(self, sequence = None, sequence_list = None, **kw):
    foo_module = self.getPortal().foo_module
    foo_module.newContent(portal_type='Foo', id='foo', foo_category='a')
85 86 87 88 89
    # allow Member to view foo_module in a hard coded way as it is not required to setup complex
    # security for this test (by default only 5A roles + Manager can view default modules)
    args = (('Manager', 'Member', 'Assignor', 'Assignee', 'Auditor', 'Associate' ), 0)
    foo_module.manage_permission('Access contents information', *args)
    foo_module.manage_permission('View', *args)
90
    self.commit()
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161

  def stepAccessFoo(self, sequence = None, sequence_list = None, **kw):
    """
      Try to view the Foo_view form, make sure Unauthorized is not raised.
    """
    self.loginAs()
    self.getPortal().foo_module.foo.Foo_view()
    self.login()

  def stepChangeCategorySecurity(self, sequence = None, sequence_list = None, **kw):
    """
      here we change security of a category to which the "Foo" is related
      and which is displayed in the Foo's RelationStringField
    """
    category = self.getPortal().portal_categories.foo_category.a
    args = (('Manager',), 0)
    category.manage_permission('Access contents information', *args)
    category.manage_permission('View', *args)
    self.tic()

  def stepResetCategorySecurity(self, sequence = None, sequence_list = None, **kw):
    """
      reset it back
    """
    category = self.getPortal().portal_categories.foo_category.a
    args = ((), 1)
    category.manage_permission('Access contents information', *args)
    category.manage_permission('View', *args)
    self.tic()

  def test_01_relationFieldToInaccessibleObject(self, quiet=quiet, run=run_all_test):
    """
      This test checks if a form can be viewed when it contains a RelationStringField which
      links to an object the user is not authorized to view.

      This fails for now. A proposed patch solving this problem is here:
      http://svn.erp5.org/experimental/FSPatch/Products/ERP5Form/ERP5Form_safeRelationField.diff?view=markup

      This problem can happen for example in the following situation:
      - a user is a member of a project P team, so he can view P
      - the user creates a project-related document and leaves it in "draft" state
      - the user quits the project P team
      Then the user can not view the project, but still can view his document as he is the owner.
      An attempt to view the document form would raise Unauthorized.
    """
    self.login()
    if not run: return
    if not quiet:
      message = 'test_01_relationFieldToInaccessibleObject'
      ZopeTestCase._print('\n%s ' % message)
      LOG('Testing... ', 0, message)
    sequence_list = SequenceList()
    sequence_string = '\
                       CreateObjects \
                       CreateTestFoo \
                       Tic \
                       AccessFoo \
                       ChangeCategorySecurity \
                       AccessFoo \
                       ResetCategorySecurity \
                       AccessFoo \
                       '
    sequence_list.addSequenceString(sequence_string)
    sequence_list.play(self, quiet=quiet)


def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestGUISecurity))
  return suite