If user (usually Anonymous User) can't acccess default document for a Web Section allow

(based on is_authorization_forced property of Web Section) a login form to be prompted or not to him. Extend tests to cover this new feature. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21699 20353a03-c40f-0410-a6d1-a30d3c3de9de

If user (usually Anonymous User) can't acccess default document for a Web Section allow
(based on is_authorization_forced property of Web Section) a login form to be prompted or not to him. Extend tests to cover this new feature. git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21699 20353a03-c40f-0410-a6d1-a30d3c3de9de
354c8350 · Ivan Tyagov · f59d03e2 · 354c8350 · 354c8350
Commit 354c8350 authored Jun 19, 2008 by Ivan Tyagov
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 1 deletion

product/ERP5/Document/WebSection.py product/ERP5/Document/WebSection.py +12 -1

product/ERP5/tests/testERP5Web.py product/ERP5/tests/testERP5Web.py +46 -0

No files found.
--- a/product/ERP5/Document/WebSection.py
+++ b/product/ERP5/Document/WebSection.py
@@ -34,7 +34,8 @@ from Products.ERP5.Document.Domain import Domain
 from Products.ERP5.Document.Document import PermanentURLMixIn
 from Acquisition import ImplicitAcquisitionWrapper, aq_base, aq_inner
 from Products.ERP5Type.Base import TempBase
+from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
+from AccessControl import Unauthorized
 from zLOG import LOG, WARNING
 import sys
@@ -176,6 +177,16 @@ class WebSection(Domain, PermanentURLMixIn):
          return getattr(self, custom_render_method_id)()
        # The following could be moved to a typed based method for more flexibility
        document = self.getDefaultDocumentValue()
+        if document is None:
+          # no document found for current user, still such document may exists
+          # in some cases user (like Anonymous) can not view document according to portal catalog
+          # but we may ask him to login if such a document exists
+          isAuthorizationForced = getattr(self, 'isAuthorizationForced', None)
+          if isAuthorizationForced is not None and isAuthorizationForced():
+            getDefaultDocumentValue = UnrestrictedMethod(self.getDefaultDocumentValue)
+            if getDefaultDocumentValue() is not None:
+              # force user to login as specified in Web Section
+              raise Unauthorized
        if document is not None:
          self.REQUEST.set('current_web_document', document.__of__(self)) # Used to be document
          self.REQUEST.set('is_web_section_default_document', 1)

--- a/product/ERP5/tests/testERP5Web.py
+++ b/product/ERP5/tests/testERP5Web.py
@@ -483,6 +483,52 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional):
    get_transaction().commit()
    self.tic()
    self.assertEqual(web_page_en,   websection.getDefaultDocumentValue())
+  def test_10_WebSectionAuthorizationForcedForDefaultDocument(self, quiet=quiet, run=run_all_test):
+    """ Check that when a Web Section contains a default document not accessible by user we have a chance to 
+        require user to login.
+        Whether or not an user will login is controlled by a property on Web Section (authorization_forced).
+    """
+    if not run:   return
+    if not quiet:  
+      message = '\ntest_10_WebSectionAuthorizationForcedForDefaultDocument'
+      ZopeTestCase._print(message)
+    request = self.app.REQUEST    
+    website = self.setupWebSite()
+    websection = self.setupWebSection()
+    web_page_reference = 'default-document-reference'
+    web_page_en = self.portal.web_page_module.newContent(
+                                      portal_type = 'Web Page', 
+                                      language = 'en', 
+                                      reference = web_page_reference)
+    # this way it's not viewable by anonymous and we can test 
+    web_page_en.releaseAlive() 
+    websection.setAggregateValue(web_page_en)
+    websection.setAuthorizationForced(1)                                     
+    get_transaction().commit()
+    self.tic()
+    # make sure that getDefaultDocumentValue() will return the same document for logged in user
+    # if default document is accessible
+    self.assertEqual(web_page_en.getUid(), 
+                           websection.getDefaultDocumentValue().getUid())
+    # check Unauthorized exception is raised for anonymous when authorization_forced is set 
+    self.logout()
+    self.assertEqual(None,  websection.getDefaultDocumentValue()) 
+    self.assertRaises(Unauthorized,  websection)                           
+    # Anonymous User should not get Unauthorized when authorization_forced is not set
+    self.login()
+    websection.setAuthorizationForced(0)
+    get_transaction().commit()
+    self.tic()
+    self.logout()
+    self.assertEqual(None,  websection.getDefaultDocumentValue())
+    try:
+      websection()
+    except Unauthorized:
+      self.fail("Web Section should not prompt user for login.")
 class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase):
  """