Commit 48b0cdcd authored by Vincent Pelletier's avatar Vincent Pelletier

tests/testERP5Catalog.py:

  Revert 19128, 19173.
  Update test_check_security_table_content to new security table design decisions.
CatalogTool.py:
  Only index a local role if this precise local role grants View permission.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@19311 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 9cd0cdf4
...@@ -147,30 +147,18 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper): ...@@ -147,30 +147,18 @@ class IndexableObjectWrapper(CMFCoreIndexableObjectWrapper):
localroles = new_dict localroles = new_dict
# For each local role of a user: # For each local role of a user:
# If the local role grants View permission, add it. # If the local role grants View permission, add it.
# If any local role for this user grant him the View permission, add
# them all.
# Every addition implies 2 lines: # Every addition implies 2 lines:
# user:<user_id> # user:<user_id>
# user:<user_id>:<role_id> # user:<user_id>:<role_id>
# A line must not be present twice in final result. # A line must not be present twice in final result.
for user, roles in localroles.iteritems(): for user, roles in localroles.iteritems():
user_can_view = False
# First pass: find if user has a local role granting him view
# permission.
for role in roles:
if allowed.has_key(role):
user_can_view = True
break
if user_can_view:
# Second pass: add all roles if user has view permission.
if withnuxgroups: if withnuxgroups:
prefix = user prefix = user
else: else:
prefix = 'user:' + user prefix = 'user:' + user
allowed[prefix] = 1
for role in roles: for role in roles:
if role == 'Owner': # Skip this role explicitely if allowed.has_key(role):
continue allowed[prefix] = 1
allowed[prefix + ':' + role] = 1 allowed[prefix + ':' + role] = 1
return list(allowed.keys()) return list(allowed.keys())
......
...@@ -1686,95 +1686,6 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -1686,95 +1686,6 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
self.assertEquals(1, folder.countFolder(title='Object Title', self.assertEquals(1, folder.countFolder(title='Object Title',
local_roles='Assignee')[0][0]) local_roles='Assignee')[0][0])
#Test if one of user Role with View permission return Object
ob1.manage_addLocalRoles('bob', ['Assignee', 'Auditor'])
ob1.manage_permission('View', ['Assignor', 'Auditor'], 0)
ob1.reindexObject()
get_transaction().commit()
self.tic()
user = getSecurityManager().getUser()
self.assertTrue(user.has_permission('View', ob1))
self.assertTrue(user.has_role('Assignee', ob1))
result_list = [r.getId() for r in ctool(title='Object Title', local_roles='Assignee')]
self.assertEquals(2, len(result_list))
self.assertEquals(2,
ctool.countResults(title='Object Title',
local_roles='Assignee')[0][0])
# this also work for searchFolder and countFolder
self.assertEquals(2, len(folder.searchFolder(title='Object Title',
local_roles='Assignee')))
self.assertEquals(2, folder.countFolder(title='Object Title',
local_roles='Assignee')[0][0])
def test_50_bis_LocalRolesArgumentWithERP5Security(self, quiet=quiet, run=run_all_test):
"""test local_roles= argument with ERP5Security
"""
if not run: return
if not quiet:
message = 'local_roles= argument with ERP5Security'
ZopeTestCase._print('\n%s ' % message)
LOG('Testing... ',0,message)
login = PortalTestCase.login
#Testing Security By ERP5Security Role Generation
#Create Categories and PortalType RoleInformation
self.login()
folder = self.getOrganisationModule()
ob1 = folder.newContent(title='Object Title')
ob2 = folder.newContent(title='Object Title')
ob2.manage_addLocalRoles('bob', ['Assignee'])
cat_tool = self.getPortal().portal_categories
cat_tool.group.newContent(id='company', portal_type='Category')
cat_tool.function.newContent(id='employee', portal_type='Category')
from Products.ERP5Type.RoleInformation import RoleInformation
role_auditor_inf = RoleInformation(id='Auditor',
title='Auditor',
category=('group/company',))
role_assignee_inf = RoleInformation(id='Assignee',
title='Assignee',
category=('group/company',
'function/employee',))
pt = self.getPortal().portal_types.Organisation
pt._roles = (role_auditor_inf, role_assignee_inf)
uf = self.getPortal().acl_users
uf._doAddUser('bob', '', ['Member'], [])
get_transaction().commit()
self.tic()
#Now Update Security
ob1.updateLocalRolesOnSecurityGroups()
ob1.manage_permission('View', ['Auditor', 'Assignor'], 0)
ob1.reindexObject()
#Remove Roles On Organisation Portal Type
pt._roles = ()
get_transaction().commit()
self.tic()
login(self, 'bob')
ctool = self.getCatalogTool()
user = getSecurityManager().getUser()
user._groups.update({'company':1,
'employee_company':1})
self.assertTrue(user.has_permission('View', ob1))
self.assertTrue(user.has_role('Auditor', ob1))
self.assertTrue(user.has_role('Assignee', ob1))
self.assertFalse(user.has_role('Assignor', ob1))
from AccessControl.PermissionRole import rolesForPermissionOn
self.assertTrue('Assignee' not in rolesForPermissionOn('View', ob1))
self.assertEquals(2, len(ctool(title='Object Title',
local_roles='Assignee')))
self.assertEquals(2,
ctool.countResults(title='Object Title',
local_roles='Assignee')[0][0])
# this also work for searchFolder and countFolder
self.assertEquals(2, len(folder.searchFolder(title='Object Title',
local_roles='Assignee')))
self.assertEquals(2, folder.countFolder(title='Object Title',
local_roles='Assignee')[0][0])
def test_51_SearchWithKeyWords(self, quiet=quiet, run=run_all_test): def test_51_SearchWithKeyWords(self, quiet=quiet, run=run_all_test):
if not run: return if not run: return
if not quiet: if not quiet:
...@@ -2355,11 +2266,8 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -2355,11 +2266,8 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
else: else:
raise Exception, 'Malformed allowedRolesAndUsers value: %r' % (line['allowedRolesAndUsers'], ) raise Exception, 'Malformed allowedRolesAndUsers value: %r' % (line['allowedRolesAndUsers'], )
# Check that object that 'bar' can view because of 'Author' role can be # Check that object that 'bar' can view because of 'Author' role can *not*
# found when searching for his other 'Whatever' role. # be found when searching for his other 'Whatever' role.
# This is used by worklists: a worklist on Whatever must be able to find
# all visible documents even if Whatever is not the cause of this
# visibility.
local_role_dict = {'foo': ['Owner', 'Author'], local_role_dict = {'foo': ['Owner', 'Author'],
'bar': ['Whatever', 'Author']} 'bar': ['Whatever', 'Author']}
for container, portal_type in ((person_module, person), for container, portal_type in ((person_module, person),
...@@ -2369,7 +2277,7 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor): ...@@ -2369,7 +2277,7 @@ class TestERP5Catalog(ERP5TypeTestCase, LogInterceptor):
['Author']): ['Author']):
object = object_dict[getObjectDictKey()] object = object_dict[getObjectDictKey()]
result = query('SELECT roles_and_users.uid FROM roles_and_users, catalog WHERE roles_and_users.uid = catalog.security_uid AND catalog.uid = %i AND allowedRolesAndUsers = "user:bar:Whatever"' % (object.uid, )) result = query('SELECT roles_and_users.uid FROM roles_and_users, catalog WHERE roles_and_users.uid = catalog.security_uid AND catalog.uid = %i AND allowedRolesAndUsers = "user:bar:Whatever"' % (object.uid, ))
self.assertEqual(len(result), 1, '%r: len(%r) != 1' % (getObjectDictKey(), result)) self.assertEqual(len(result), 0, '%r: len(%r) != 0' % (getObjectDictKey(), result))
# Check that no 'bar' role are in security table when 'foo' has local # Check that no 'bar' role are in security table when 'foo' has local
# roles allowing him to view an object but 'bar' can't. # roles allowing him to view an object but 'bar' can't.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment