- Merge bindings test, python script fix from 2.6 branch.

618f7fac · Tres Seaver · e4f59104 · 618f7fac · 618f7fac
Commit 618f7fac authored Jan 27, 2004 by Tres Seaver
Showing with 91 additions and 13 deletions

lib/python/AccessControl/tests/testBindings.py lib/python/AccessControl/tests/testBindings.py +85 -1

lib/python/Products/PythonScripts/PythonScript.py lib/python/Products/PythonScripts/PythonScript.py +6 -12

No files found.
--- a/lib/python/AccessControl/tests/testBindings.py
+++ b/lib/python/AccessControl/tests/testBindings.py
@@ -13,12 +13,14 @@
 ##############################################################################
 """Test Bindings
-$Id: testBindings.py,v 1.4 2004/01/27 18:37:24 Brian Exp $
+$Id: testBindings.py,v 1.5 2004/01/27 19:37:29 tseaver Exp $
 """
 import unittest
 import ZODB
 from Acquisition import Implicit
+from AccessControl import ClassSecurityInfo
+from Globals import InitializeClass
 from OFS.ObjectManager import ObjectManager
 from OFS.Folder import Folder
@@ -73,9 +75,20 @@ class FauxRoot(ObjectManager):
        return '<FauxRoot>'
 class FauxFolder(Folder):
+    security = ClassSecurityInfo()
+    security.declareObjectPrivate()
+    security.declarePrivate('__repr__')
    def __repr__(self):
        return '<FauxFolder: %s>' % self.getId()
+    security.declarePublic('methodWithRoles')
+    def methodWithRoles(self):
+        return 'method called'
+InitializeClass(FauxFolder)
 class TestBindings(unittest.TestCase):
    def setUp(self):
@@ -130,12 +143,23 @@ class TestBindings(unittest.TestCase):
        bound_used_context_ps = self._newPS('return context.id')
        guarded._setOb('bound_used_context_ps', bound_used_context_ps)
+        bound_used_context_methodWithRoles_ps = self._newPS(
+                                           'return context.methodWithRoles()')
+        guarded._setOb('bound_used_context_methodWithRoles_ps',
+                        bound_used_context_methodWithRoles_ps)
        container_ps = self._newPS('return container')
        guarded._setOb('container_ps', container_ps)
+        container_str_ps = self._newPS('return str(container)')
+        guarded._setOb('container_str_ps', container_str_ps)
        context_ps = self._newPS('return context')
        guarded._setOb('context_ps', context_ps)
+        context_str_ps = self._newPS('return str(context)')
+        guarded._setOb('context_str_ps', context_str_ps)
        return root
    def _newPS(self, txt, bind=None):
@@ -165,9 +189,32 @@ class TestBindings(unittest.TestCase):
        newSecurityManager(None, UnderprivilegedUser())
        root = self._makeTree()
        guarded = root._getOb('guarded')
        ps = guarded._getOb('bound_used_container_ps')
        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('container_str_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('container_ps')
+        container = ps()
+        self.assertRaises(Unauthorized, container)
+        self.assertRaises(Unauthorized, container.index_html)
+        try:
+            str(container)
+        except Unauthorized:
+            pass
+        else:
+            self.fail("str(container) didn't raise Unauthorized!")
+        ps = guarded._getOb('bound_used_container_ps')
+        ps._proxy_roles = ( 'Manager', )
+        ps()
+        ps = guarded._getOb('container_str_ps')
+        ps._proxy_roles = ( 'Manager', )
+        ps()
    def test_bound_used_container_allowed(self):
        from AccessControl.SecurityManagement import newSecurityManager
        newSecurityManager(None, UnderprivilegedUser())
@@ -191,9 +238,32 @@ class TestBindings(unittest.TestCase):
        newSecurityManager(None, UnderprivilegedUser())
        root = self._makeTree()
        guarded = root._getOb('guarded')
        ps = guarded._getOb('bound_used_context_ps')
        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('context_str_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('context_ps')
+        context = ps()
+        self.assertRaises(Unauthorized, context)
+        self.assertRaises(Unauthorized, context.index_html)
+        try:
+            str(context)
+        except Unauthorized:
+            pass
+        else:
+            self.fail("str(context) didn't raise Unauthorized!")
+        ps = guarded._getOb('bound_used_context_ps')
+        ps._proxy_roles = ( 'Manager', )
+        ps()
+        ps = guarded._getOb('context_str_ps')
+        ps._proxy_roles = ( 'Manager', )
+        ps()
    def test_bound_used_context_allowed(self):
        from AccessControl.SecurityManagement import newSecurityManager
        newSecurityManager(None, UnderprivilegedUser())
@@ -221,6 +291,20 @@ class TestBindings(unittest.TestCase):
                                      'name_subpath': ''})
        self.assertEqual(boundless_ps(), 42)
+    def test_bound_used_context_method_w_roles(self):
+        from AccessControl.SecurityManagement import newSecurityManager
+        from AccessControl import Unauthorized
+        newSecurityManager(None, UnderprivilegedUser())
+        root = self._makeTree()
+        guarded = root._getOb('guarded')
+        # Assert that we can call a protected method, even though we have
+        # no access to the context directly.
+        ps = guarded._getOb('bound_used_context_ps')
+        self.assertRaises(Unauthorized, ps)
+        ps = guarded._getOb('bound_used_context_methodWithRoles_ps')
+        self.assertEqual(ps(), 'method called')
 def test_suite():
    suite = unittest.TestSuite()

--- a/lib/python/Products/PythonScripts/PythonScript.py
+++ b/lib/python/Products/PythonScripts/PythonScript.py
@@ -17,7 +17,7 @@ This product provides support for Script objects containing restricted
 Python code.
 """
-__version__='$Revision: 1.53 $'[11:-2]
+__version__='$Revision: 1.54 $'[11:-2]
 import sys, os, traceback, re, marshal, new
 from Globals import DTMLFile, MessageDialog, package_home
@@ -315,17 +315,11 @@ class PythonScript(Script, Historical, Cacheable):
            PythonScriptTracebackSupplement, self, -1)
        f = new.function(fcode, g, None, fadefs)
-        # Execute the function in a new security context.
+        result = f(*args, **kw)
-        security=getSecurityManager()
+        if keyset is not None:
-        security.addContext(self)
+            # Store the result in the cache.
-        try:
+            self.ZCacheable_set(result, keywords=keyset)
-            result = f(*args, **kw)
+        return result
-            if keyset is not None:
-                # Store the result in the cache.
-                self.ZCacheable_set(result, keywords=keyset)
-            return result
-        finally:
-            security.removeContext(self)
    def manage_haveProxy(self,r): return r in self._proxy_roles