Test Security on Temp objects for connected and anonymous users

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@44631 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5/tests/testBase.py

@@ -37,8 +37,10 @@ from Testing import ZopeTestCase
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase,\
                                                        _getConversionServerDict
 from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl import getSecurityManager
 from Products.ERP5Type.tests.Sequence import SequenceList
 from Products.ERP5Type.Base import Base
+from Products.ERP5Type.Utils import convertToUpperCase
 from zExceptions import BadRequest
 from Products.ERP5Type.tests.backportUnittest import skip
 from Products.ERP5Type.Workflow import addWorkflowByType
@@ -1015,7 +1017,6 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
     for permission in permission_list:
       manager_has_no_permission[permission] = ()
 
-    from AccessControl import getSecurityManager
     user = getSecurityManager().getUser()
     try:
       self.assertTrue(permission_list)
@@ -1192,15 +1193,48 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
     self.assertEquals(1, len(self.getPortal().portal_catalog(
       translated_portal_type='Person', title='translate_table_test')))
 
-  def test_TempBasePublicMethods(self):
-    # make sure TempBase methods 'edit' and 'setProperty' are actually public
+  def test_TemporaryObjectPublicMethodListForAnonymous(self):
+    """make sure temporary object methods are actually public.
+    Thanks to owner role, even for Anonymous users
+    """
     self.logout()
-    from Products.ERP5Type.Document import newTempBase
-    from OFS.Traversable import guarded_getattr
-    tb = newTempBase(self.portal, '_temp_base')
-    for name in ('edit', 'setProperty'):
+    organisation = self.portal.organisation_module.newContent(
+                                                    portal_type='Organisation',
+                                                    temp_object=True)
+    user = getSecurityManager().getUser()
+    self.assertTrue('Owner' in user.getRolesInContext(organisation))
+    from AccessControl.ZopeGuards import guarded_getattr
+    property_map_dict = organisation.propertyMap()
+    property_id_list = ('edit', 'setProperty', 'getProperty') + \
+              tuple(['get' + convertToUpperCase(property_map['id'])\
+                     for property_map in property_map_dict])
+
+    for property_id in property_id_list:
+      # should not raise Unauthorized
+      guarded_getattr(organisation, property_id)
+
+  def test_TemporaryObjectPublicMethodList(self):
+    """make sure temporary object methods are actually public.
+    Thanks to owner role.
+    """
+    uf = self.getPortal().acl_users
+    uf._doAddUser('BOBBY', '', ['Member',], [])
+    user = uf.getUserById('BOBBY').__of__(uf)
+    newSecurityManager(None, user)
+    organisation = self.portal.organisation_module.newContent(
+                                                    portal_type='Organisation',
+                                                    temp_object=True)
+    user = getSecurityManager().getUser()
+    self.assertTrue('Owner' in user.getRolesInContext(organisation))
+    from AccessControl.ZopeGuards import guarded_getattr
+    property_map_dict = organisation.propertyMap()
+    property_id_list = ('edit', 'setProperty', 'getProperty') + \
+              tuple(['get' + convertToUpperCase(property_map['id'])\
+                     for property_map in property_map_dict])
+
+    for property_id in property_id_list:
       # should not raise Unauthorized
-      edit = guarded_getattr(tb, name)
+      guarded_getattr(organisation, property_id)
 
   @skip("isIndexable is not designed to work like tested here, this test \
       must be rewritten once we know how to handle correctly templates")