Commit 9122fa76 authored by Aurel's avatar Aurel

make the security works on accessors

add unit test for it
patch done by Romain and Jerome


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20998 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent a0b4cb95
...@@ -35,6 +35,11 @@ class Accessor(Method): ...@@ -35,6 +35,11 @@ class Accessor(Method):
""" """
Generic Accessor - placehold for common methods Generic Accessor - placehold for common methods
""" """
class __roles__:
@staticmethod
def rolesForPermissionOn(ob):
return getattr(ob.im_self, '%s__roles__' % ob.__name__)
def __getinitargs__(self): def __getinitargs__(self):
init = getattr(self, '__init__', None) init = getattr(self, '__init__', None)
if init is not None: if init is not None:
......
...@@ -42,8 +42,10 @@ from Products.ERP5Type.Utils import removeLocalPropertySheet ...@@ -42,8 +42,10 @@ from Products.ERP5Type.Utils import removeLocalPropertySheet
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager from AccessControl import getSecurityManager
from AccessControl import Unauthorized from AccessControl import Unauthorized
from AccessControl.ZopeGuards import guarded_getattr, guarded_hasattr
from Products.ERP5Type.tests.utils import createZODBPythonScript from Products.ERP5Type.tests.utils import createZODBPythonScript
from Products.ERP5Type.tests.utils import removeZODBPythonScript from Products.ERP5Type.tests.utils import removeZODBPythonScript
from Products.ERP5Type import Permissions
class PropertySheetTestCase(ERP5TypeTestCase): class PropertySheetTestCase(ERP5TypeTestCase):
"""Base test case class for property sheets tests. """Base test case class for property sheets tests.
...@@ -2093,6 +2095,106 @@ class TestPropertySheet: ...@@ -2093,6 +2095,106 @@ class TestPropertySheet:
finally: finally:
removeZODBPythonScript(script_container, script_id) removeZODBPythonScript(script_container, script_id)
def test_DefaultSecurityOnAccessors(self):
# Test accessors are protected correctly
self._addProperty('Person',
''' { 'id': 'foo_bar',
'type': 'string',
'mode': 'w', }''')
obj = self.getPersonModule().newContent(portal_type='Person')
self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
# setter is protected by default with modify portal content
obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
# getter is protected with Access content information
obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
def test_DefaultSecurityOnListAccessors(self):
# Test list accessors are protected correctly
self._addProperty('Person',
''' { 'id': 'foo_bar',
'type': 'lines',
'mode': 'w', }''')
obj = self.getPersonModule().newContent(portal_type='Person')
self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
# setter is protected by default with modify portal content
obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
self.assertFalse(guarded_hasattr(obj, 'setFooBarList'))
self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
# getter is protected with Access content information
obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
self.assertFalse(guarded_hasattr(obj, 'getFooBarList'))
def test_DefaultSecurityOnCategoryAccessors(self):
# Test category accessors are protected correctly
obj = self.getPersonModule().newContent(portal_type='Person')
self.assertTrue(guarded_hasattr(obj, 'setRegion'))
self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
self.assertTrue(guarded_hasattr(obj, 'getRegion'))
self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
# setter is protected by default with modify portal content
obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
self.assertFalse(guarded_hasattr(obj, 'setRegion'))
self.assertFalse(guarded_hasattr(obj, 'setRegionValue'))
self.assertFalse(guarded_hasattr(obj, 'setRegionList'))
self.assertFalse(guarded_hasattr(obj, 'setRegionValueList'))
self.assertTrue(guarded_hasattr(obj, 'getRegion'))
self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
# getter is protected with Access content information
obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
self.assertTrue(guarded_hasattr(obj, 'setRegion'))
self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
self.assertFalse(guarded_hasattr(obj, 'getRegion'))
self.assertFalse(guarded_hasattr(obj, 'getRegionValue'))
self.assertFalse(guarded_hasattr(obj, 'getRegionList'))
self.assertFalse(guarded_hasattr(obj, 'getRegionValueList'))
def test_PropertySheetSecurityOnAccessors(self):
# Test accessors are protected correctly when you specify the permission
# in the property sheet.
self._addProperty('Person',
''' { 'id': 'foo_bar',
'write_permission' : 'Set own password',
'read_permission' : 'Manage users',
'type': 'string',
'mode': 'w', }''')
obj = self.getPersonModule().newContent(portal_type='Person')
self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
obj.manage_permission('Set own password', [], 0)
self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
obj.manage_permission('Set own password', ['Manager'], 1)
obj.manage_permission('Manage users', [], 0)
self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestERP5Type)) suite.addTest(unittest.makeSuite(TestERP5Type))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment