Commit 789886c5 authored by Shane Hathaway's avatar Shane Hathaway

- Removed usage of ZODB from security suite.

- Corrected role comparison.  "None" means anonymous, an empty tuple means
  private, and private objects are not accessible even by managers.

- Removed attribute access tests, which don't work, and if they did,
  they would be duplicates of tests already in the RestrictedPython,
  DocumentTemplate, and PythonScripts packages.
parent c1374587
...@@ -84,13 +84,34 @@ ...@@ -84,13 +84,34 @@
############################################################################## ##############################################################################
import re, unittest, cStringIO import sys, re, unittest, cStringIO
import ZPublisher, ResultObject import ZPublisher, ResultObject
import OFS.Application
import AccessControl.SecurityManagement
# Set up a publishable, non-ZODB Zope application.
app = OFS.Application.Application()
def index_html():
" "
return "This is index_html."
app.index_html = index_html # Will index_html ever go away? ;-)
class BoboApplication:
# OFS.Application has a __bobo_traverse__ that ZPublisher thinks
# it should use to find the "real" root of the application.
# This class gets around that.
def __bobo_traverse__(self, request, name=None):
return app
# ZPublisher will look for these vars.
bobo_application = BoboApplication()
zpublisher_validated_hook=AccessControl.SecurityManagement.newSecurityManager
__bobo_before__=AccessControl.SecurityManagement.noSecurityManager
class SecurityBase(unittest.TestCase) : class SecurityBase(unittest.TestCase) :
""" Base class for all security tests """ Base class for all security tests
$Id: SecurityBase.py,v 1.4 2001/10/18 14:30:51 andreasjung Exp $ $Id: SecurityBase.py,v 1.5 2001/10/18 15:44:47 shane Exp $
""" """
status_regex = re.compile("Status: ([0-9]{1,4}) (.*)",re.I)\ status_regex = re.compile("Status: ([0-9]{1,4}) (.*)",re.I)\
...@@ -163,16 +184,20 @@ class SecurityBase(unittest.TestCase) : ...@@ -163,16 +184,20 @@ class SecurityBase(unittest.TestCase) :
s = "self.root.%s.__roles__" % hier s = "self.root.%s.__roles__" % hier
roles = eval(s) roles = eval(s)
if roles==None or len(roles)==0: same = 0
roles=() if roles is None or expected_roles is None:
if (roles is None or tuple(roles) == ('Anonymous',)) and (
roles = list(roles) expected_roles is None or
roles.sort() tuple(expected_roles) == ('Anonymous',)):
same = 1
expected_roles = list(expected_roles) else:
expected_roles.sort() got = {}
for r in roles: got[r] = 1
if roles != expected_roles: expected = {}
for r in expected_roles: expected[r] = 1
if got == expected: # Dict compare does the Right Thing.
same = 1
if not same:
raise AssertionError, self._roles_debug(hier,roles,expected_roles) raise AssertionError, self._roles_debug(hier,roles,expected_roles)
def _checkRequest(self,*args,**kw): def _checkRequest(self,*args,**kw):
...@@ -204,8 +229,8 @@ class SecurityBase(unittest.TestCase) : ...@@ -204,8 +229,8 @@ class SecurityBase(unittest.TestCase) :
def _roles_debug(self,hier,got_roles,expected_roles): def _roles_debug(self,hier,got_roles,expected_roles):
s = 'Object: %s' % hier s = 'Object: %s' % hier
s+= ', has roles: %s ' % got_roles s+= ', has roles: %s' % `got_roles`
s+= ', expected roles: %s' % expected_roles s+= ', expected roles: %s' % `expected_roles`
return s return s
...@@ -224,7 +249,15 @@ class SecurityBase(unittest.TestCase) : ...@@ -224,7 +249,15 @@ class SecurityBase(unittest.TestCase) :
io =cStringIO.StringIO() io =cStringIO.StringIO()
kw['fp']=io kw['fp']=io
ZPublisher.Zope(*args,**kw) # Publish this module.
testargs = (__name__,) + args
real_stdout = sys.stdout
garbage_out = cStringIO.StringIO()
sys.stdout = garbage_out # Silence, ZPublisher!
try:
ZPublisher.test(*testargs,**kw)
finally:
sys.stdout = real_stdout
outp = io.getvalue() outp = io.getvalue()
mo = self.status_regex.search(outp) mo = self.status_regex.search(outp)
......
...@@ -85,18 +85,18 @@ ...@@ -85,18 +85,18 @@
# #
############################################################################## ##############################################################################
# $Id: regressionSecurity.py,v 1.2 2001/10/18 14:30:51 andreasjung Exp $ # $Id: regressionSecurity.py,v 1.3 2001/10/18 15:44:47 shane Exp $
import os, sys, unittest import os, sys, unittest
import Zope import ZODB
import SecurityBase
from OFS.Folder import Folder from OFS.Folder import Folder
from OFS.SimpleItem import SimpleItem from OFS.SimpleItem import SimpleItem
from AccessControl import ClassSecurityInfo,getSecurityManager from AccessControl import ClassSecurityInfo,getSecurityManager
from AccessControl.User import nobody from AccessControl.User import nobody
import Globals import Globals
import SecurityBase
# let's define some permissions first # let's define some permissions first
...@@ -220,7 +220,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase): ...@@ -220,7 +220,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
def setUp(self): def setUp(self):
""" my setup """ """ my setup """
self.root = Zope.app() self.root = SecurityBase.app
acl = self.root.acl_users acl = self.root.acl_users
for user in USERS: for user in USERS:
...@@ -231,8 +231,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase): ...@@ -231,8 +231,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
acl._addUser(user.username,user.password,user.password, acl._addUser(user.username,user.password,user.password,
user.roles, []) user.roles, [])
get_transaction().commit()
# try to remove old crap # try to remove old crap
if 'test' in self.root.objectIds(): if 'test' in self.root.objectIds():
...@@ -255,8 +253,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase): ...@@ -255,8 +253,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
self.root.test.f2._setObject('f3',f3) self.root.test.f2._setObject('f3',f3)
self.root.test.f2.f3._setObject('obj3',obj) self.root.test.f2.f3._setObject('obj3',obj)
get_transaction().commit()
def testNobody(self): def testNobody(self):
""" check permissions for nobody user """ """ check permissions for nobody user """
...@@ -272,7 +268,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase): ...@@ -272,7 +268,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
def testPermissionAccess(self): def testPermissionAccess(self):
""" check permission based access """ """ check permission based access """
self._checkRoles('test.f2.f3.obj3.public_func', ()) self._checkRoles('test.f2.f3.obj3.public_func', None)
self._checkRoles('test.f2.f3.obj3.protected_func', ('Manager','Owner')) self._checkRoles('test.f2.f3.obj3.protected_func', ('Manager','Owner'))
self._checkRoles('test.f2.f3.obj3.manage_func', ('Manager',)) self._checkRoles('test.f2.f3.obj3.manage_func', ('Manager',))
self._checkRoles('test.f2.f3.obj3.private_func', ()) self._checkRoles('test.f2.f3.obj3.private_func', ())
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment