make the security works on accessors

add unit test for it patch done by Romain and Jerome git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20998 20353a03-c40f-0410-a6d1-a30d3c3de9de

make the security works on accessors
add unit test for it patch done by Romain and Jerome git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@20998 20353a03-c40f-0410-a6d1-a30d3c3de9de
9122fa76 · Aurel · a0b4cb95 · 9122fa76 · 9122fa76
Commit 9122fa76 authored May 16, 2008 by Aurel
Hide whitespace changes
Inline Side-by-side

Showing with 108 additions and 1 deletion

product/ERP5Type/Accessor/Accessor.py product/ERP5Type/Accessor/Accessor.py +6 -1

product/ERP5Type/tests/testERP5Type.py product/ERP5Type/tests/testERP5Type.py +102 -0

No files found.
--- a/product/ERP5Type/Accessor/Accessor.py
+++ b/product/ERP5Type/Accessor/Accessor.py
@@ -35,6 +35,11 @@ class Accessor(Method):
    """
      Generic Accessor - placehold for common methods
    """
+    class __roles__:
+      @staticmethod
+      def rolesForPermissionOn(ob):
+        return getattr(ob.im_self, '%s__roles__' % ob.__name__)
+
    def __getinitargs__(self):
      init = getattr(self, '__init__', None)
      if init is not None:
@@ -62,4 +67,4 @@ class Accessor(Method):
    def asReindexAlias(self, id):
      # Returns a reindexing alias
      from Alias import ReindexAlias
-      return ReindexAlias(id, self.__name__)
\ No newline at end of file
+      return ReindexAlias(id, self.__name__)
--- a/product/ERP5Type/tests/testERP5Type.py
+++ b/product/ERP5Type/tests/testERP5Type.py
@@ -42,8 +42,10 @@ from Products.ERP5Type.Utils import removeLocalPropertySheet
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr, guarded_hasattr
 from Products.ERP5Type.tests.utils import createZODBPythonScript
 from Products.ERP5Type.tests.utils import removeZODBPythonScript
+from Products.ERP5Type import Permissions

 class PropertySheetTestCase(ERP5TypeTestCase):
  """Base test case class for property sheets tests.
@@ -2093,6 +2095,106 @@ class TestPropertySheet:
      finally:
        removeZODBPythonScript(script_container, script_id)

+    def test_DefaultSecurityOnAccessors(self):
+      # Test accessors are protected correctly
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'type':       'string',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
+    def test_DefaultSecurityOnListAccessors(self):
+      # Test list accessors are protected correctly
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'type':       'lines',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBarList'))
+
+    def test_DefaultSecurityOnCategoryAccessors(self):
+      # Test category accessors are protected correctly
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setRegion'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionList'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegion'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionList'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionValueList'))
+
+    def test_PropertySheetSecurityOnAccessors(self):
+      # Test accessors are protected correctly when you specify the permission
+      # in the property sheet.
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'write_permission' : 'Set own password',
+                        'read_permission'  : 'Manage users',
+                        'type':       'string',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      obj.manage_permission('Set own password', [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      obj.manage_permission('Set own password', ['Manager'], 1)
+      obj.manage_permission('Manage users', [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
 def test_suite():
  suite = unittest.TestSuite()
  suite.addTest(unittest.makeSuite(TestERP5Type))