- Removed usage of ZODB from security suite.

- Corrected role comparison.  "None" means anonymous, an empty tuple means
  private, and private objects are not accessible even by managers.

- Removed attribute access tests, which don't work, and if they did,
  they would be duplicates of tests already in the RestrictedPython,
  DocumentTemplate, and PythonScripts packages.

lib/python/AccessControl/securitySuite/SecurityBase.py

@@ -84,13 +84,34 @@
 ##############################################################################
 
 
-import re, unittest, cStringIO
+import sys, re, unittest, cStringIO
 import ZPublisher, ResultObject
+import OFS.Application
+import AccessControl.SecurityManagement
+
+
+# Set up a publishable, non-ZODB Zope application.
+app = OFS.Application.Application()
+def index_html():
+    " "
+    return "This is index_html."
+app.index_html = index_html  # Will index_html ever go away? ;-)
+class BoboApplication:
+    # OFS.Application has a __bobo_traverse__ that ZPublisher thinks
+    # it should use to find the "real" root of the application.
+    # This class gets around that.
+    def __bobo_traverse__(self, request, name=None):
+        return app
+
+# ZPublisher will look for these vars.
+bobo_application = BoboApplication()
+zpublisher_validated_hook=AccessControl.SecurityManagement.newSecurityManager
+__bobo_before__=AccessControl.SecurityManagement.noSecurityManager
 
 
 class SecurityBase(unittest.TestCase) :
     """ Base class for all security tests 
-    $Id: SecurityBase.py,v 1.4 2001/10/18 14:30:51 andreasjung Exp $
+    $Id: SecurityBase.py,v 1.5 2001/10/18 15:44:47 shane Exp $
     """
 
     status_regex = re.compile("Status: ([0-9]{1,4}) (.*)",re.I)\
@@ -163,16 +184,20 @@ class SecurityBase(unittest.TestCase) :
         s = "self.root.%s.__roles__" % hier
         roles = eval(s)
 
-        if roles==None or len(roles)==0: 
-            roles=()
-        
-        roles = list(roles)
-        roles.sort()
-
-        expected_roles = list(expected_roles)
-        expected_roles.sort()
-
-        if roles != expected_roles: 
+        same = 0
+        if roles is None or expected_roles is None:
+            if (roles is None or tuple(roles) == ('Anonymous',)) and (
+                expected_roles is None or
+                tuple(expected_roles) == ('Anonymous',)):
+                same = 1
+        else:
+            got = {}
+            for r in roles: got[r] = 1
+            expected = {}
+            for r in expected_roles: expected[r] = 1
+            if got == expected:  # Dict compare does the Right Thing.
+                same = 1
+        if not same:
             raise AssertionError, self._roles_debug(hier,roles,expected_roles)
     
     def _checkRequest(self,*args,**kw):
@@ -204,8 +229,8 @@ class SecurityBase(unittest.TestCase) :
     def _roles_debug(self,hier,got_roles,expected_roles):
 
         s = 'Object: %s' % hier
-        s+= ', has roles: %s ' % got_roles        
-        s+= ', expected roles: %s' % expected_roles
+        s+= ', has roles: %s' % `got_roles`
+        s+= ', expected roles: %s' % `expected_roles`
 
         return s
 
@@ -224,7 +249,15 @@ class SecurityBase(unittest.TestCase) :
 
         io =cStringIO.StringIO()
         kw['fp']=io
-        ZPublisher.Zope(*args,**kw)
+        # Publish this module.
+        testargs = (__name__,) + args
+        real_stdout = sys.stdout
+        garbage_out = cStringIO.StringIO()
+        sys.stdout = garbage_out  # Silence, ZPublisher!
+        try:
+            ZPublisher.test(*testargs,**kw)
+        finally:
+            sys.stdout = real_stdout
         outp = io.getvalue()
         mo = self.status_regex.search(outp)
 

lib/python/AccessControl/securitySuite/regressionSecurity.py

@@ -85,18 +85,18 @@
 # 
 ##############################################################################
 
-# $Id: regressionSecurity.py,v 1.2 2001/10/18 14:30:51 andreasjung Exp $
+# $Id: regressionSecurity.py,v 1.3 2001/10/18 15:44:47 shane Exp $
 
 import os, sys, unittest
 
-import Zope
+import ZODB
+import SecurityBase
 from OFS.Folder import Folder
 from OFS.SimpleItem  import SimpleItem
 from AccessControl import ClassSecurityInfo,getSecurityManager
 from AccessControl.User import nobody
 import Globals
 
-import SecurityBase
 
 # let's define some permissions first
 
@@ -220,7 +220,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
     def setUp(self):
         """ my setup """
 
-        self.root = Zope.app()
+        self.root = SecurityBase.app
         acl = self.root.acl_users
 
         for user in USERS:
@@ -231,8 +231,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
             acl._addUser(user.username,user.password,user.password,
                             user.roles, [])
 
-        get_transaction().commit()
-
         # try to remove old crap
 
         if 'test' in self.root.objectIds():
@@ -255,8 +253,6 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
         self.root.test.f2._setObject('f3',f3)
         self.root.test.f2.f3._setObject('obj3',obj)
 
-        get_transaction().commit()
-
 
     def testNobody(self):
         """ check permissions for nobody user """
@@ -272,7 +268,7 @@ class AVeryBasicSecurityTest(SecurityBase.SecurityBase):
     def testPermissionAccess(self):
         """ check permission based access """
 
-        self._checkRoles('test.f2.f3.obj3.public_func',     ())    
+        self._checkRoles('test.f2.f3.obj3.public_func',     None)
         self._checkRoles('test.f2.f3.obj3.protected_func',  ('Manager','Owner'))
         self._checkRoles('test.f2.f3.obj3.manage_func',     ('Manager',))
         self._checkRoles('test.f2.f3.obj3.private_func',    ())