ERP5Type/tests/testERP5Type.py: Make sure that accessors are protected...

ERP5Type/tests/testERP5Type.py: Make sure that accessors are protected correctly when permission was specified in the property sheet.

ERP5Type/tests/testERP5Type.py: Make sure that accessors are protected...
ERP5Type/tests/testERP5Type.py: Make sure that accessors are protected correctly when permission was specified in the property sheet.
4469fdaf · Yusei Tahara · 6edd92c8 · 4469fdaf
Commit 4469fdaf authored Apr 10, 2017 by Yusei Tahara
Hide whitespace changes
Inline Side-by-side

Showing with 56 additions and 0 deletions

product/ERP5Type/tests/testERP5Type.py product/ERP5Type/tests/testERP5Type.py +56 -0

No files found.
--- a/product/ERP5Type/tests/testERP5Type.py
+++ b/product/ERP5Type/tests/testERP5Type.py
@@ -2700,6 +2700,62 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
      self.assertFalse(guarded_hasattr(obj, 'getFooBar'))

+      # Make sure that we can use 'Access contents information' as
+      # write permission and 'Modify portal content' as read permission.
+      self._addProperty('Person',
+          'test_PropertySheetSecurityOnAccessors',
+          'hoge_hoge',
+          elementary_type='string',
+          write_permission='Access contents information',
+          read_permission='Modify portal content',
+          portal_type='Standard Property')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setHogeHoge'))
+      self.assertTrue(guarded_hasattr(obj, 'getHogeHoge'))
+
+      obj.manage_permission('Access contents information', [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setHogeHoge'))
+      self.assertTrue(guarded_hasattr(obj, 'getHogeHoge'))
+
+      obj.manage_permission('Access contents information', ['Manager'], 1)
+      obj.manage_permission('Modify portal content', [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setHogeHoge'))
+      self.assertFalse(guarded_hasattr(obj, 'getHogeHoge'))
+
+      # Make sure that getProperty and setProperty respect accessor's
+      # security protection.
+      createZODBPythonScript(portal.portal_skins.custom,
+                             'Base_callAccessorHogeHoge',
+                             'mode',
+                             '''\
+if mode == 'getter':
+  context.getHogeHoge()
+elif mode == 'getProperty':
+  context.getProperty('hoge_hoge')
+elif mode == 'setter':
+  context.setHogeHoge('waa')
+elif mode == 'setProperty':
+  context.setProperty('waa')
+return True''')
+      # test accessors
+      obj.manage_permission('Access contents information', ['Manager'], 1)
+      obj.manage_permission('Modify portal content', ['Manager'], 1)
+      self.assertTrue(guarded_hasattr(obj, 'setHogeHoge'))
+      self.assertTrue(guarded_hasattr(obj, 'getHogeHoge'))
+      self.assertTrue(obj.Base_callAccessorHogeHoge(mode='getter'))
+      self.assertTrue(obj.Base_callAccessorHogeHoge(mode='setter'))
+      self.assertTrue(obj.Base_callAccessorHogeHoge(mode='getProperty'))
+      self.assertTrue(obj.Base_callAccessorHogeHoge(mode='setProperty'))
+
+      obj.manage_permission('Access contents information', [], 0)
+      obj.manage_permission('Modify portal content', [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setHogeHoge'))
+      self.assertFalse(guarded_hasattr(obj, 'getHogeHoge'))
+      self.assertRaises(Unauthorized, obj.Base_callAccessorHogeHoge, mode='getter')
+      self.assertRaises(Unauthorized, obj.Base_callAccessorHogeHoge, mode='setter')
+      self.assertRaises(Unauthorized, obj.Base_callAccessorHogeHoge, mode='getProperty')
+      self.assertRaises(Unauthorized, obj.Base_callAccessorHogeHoge, mode='setProperty')
+
    def test_edit(self):
      self._addProperty('Person',
          'test_edit',