Test Security on Temp objects for connected and anonymous users

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@44631 20353a03-c40f-0410-a6d1-a30d3c3de9de

Test Security on Temp objects for connected and anonymous users
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@44631 20353a03-c40f-0410-a6d1-a30d3c3de9de
c3d34144 · Nicolas Delaby · 8ccd5d04 · c3d34144
Commit c3d34144 authored Mar 25, 2011 by Nicolas Delaby
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 8 deletions

product/ERP5/tests/testBase.py product/ERP5/tests/testBase.py +42 -8

No files found.
--- a/product/ERP5/tests/testBase.py
+++ b/product/ERP5/tests/testBase.py
@@ -37,8 +37,10 @@ from Testing import ZopeTestCase
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase,\
                                                       _getConversionServerDict
 from AccessControl.SecurityManagement import newSecurityManager
+from AccessControl import getSecurityManager
 from Products.ERP5Type.tests.Sequence import SequenceList
 from Products.ERP5Type.Base import Base
+from Products.ERP5Type.Utils import convertToUpperCase
 from zExceptions import BadRequest
 from Products.ERP5Type.tests.backportUnittest import skip
 from Products.ERP5Type.Workflow import addWorkflowByType
@@ -1015,7 +1017,6 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
    for permission in permission_list:
      manager_has_no_permission[permission] = ()
-    from AccessControl import getSecurityManager
    user = getSecurityManager().getUser()
    try:
      self.assertTrue(permission_list)
@@ -1192,15 +1193,48 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
    self.assertEquals(1, len(self.getPortal().portal_catalog(
      translated_portal_type='Person', title='translate_table_test')))
-  def test_TempBasePublicMethods(self):
+  def test_TemporaryObjectPublicMethodListForAnonymous(self):
-    # make sure TempBase methods 'edit' and 'setProperty' are actually public
+    """make sure temporary object methods are actually public.
+    Thanks to owner role, even for Anonymous users
+    """
    self.logout()
-    from Products.ERP5Type.Document import newTempBase
+    organisation = self.portal.organisation_module.newContent(
-    from OFS.Traversable import guarded_getattr
+                                                    portal_type='Organisation',
-    tb = newTempBase(self.portal, '_temp_base')
+                                                    temp_object=True)
-    for name in ('edit', 'setProperty'):
+    user = getSecurityManager().getUser()
+    self.assertTrue('Owner' in user.getRolesInContext(organisation))
+    from AccessControl.ZopeGuards import guarded_getattr
+    property_map_dict = organisation.propertyMap()
+    property_id_list = ('edit', 'setProperty', 'getProperty') + \
+              tuple(['get' + convertToUpperCase(property_map['id'])\
+                     for property_map in property_map_dict])
+    for property_id in property_id_list:
+      # should not raise Unauthorized
+      guarded_getattr(organisation, property_id)
+  def test_TemporaryObjectPublicMethodList(self):
+    """make sure temporary object methods are actually public.
+    Thanks to owner role.
+    """
+    uf = self.getPortal().acl_users
+    uf._doAddUser('BOBBY', '', ['Member',], [])
+    user = uf.getUserById('BOBBY').__of__(uf)
+    newSecurityManager(None, user)
+    organisation = self.portal.organisation_module.newContent(
+                                                    portal_type='Organisation',
+                                                    temp_object=True)
+    user = getSecurityManager().getUser()
+    self.assertTrue('Owner' in user.getRolesInContext(organisation))
+    from AccessControl.ZopeGuards import guarded_getattr
+    property_map_dict = organisation.propertyMap()
+    property_id_list = ('edit', 'setProperty', 'getProperty') + \
+              tuple(['get' + convertToUpperCase(property_map['id'])\
+                     for property_map in property_map_dict])
+    for property_id in property_id_list:
      # should not raise Unauthorized
-      edit = guarded_getattr(tb, name)
+      guarded_getattr(organisation, property_id)
  @skip("isIndexable is not designed to work like tested here, this test \
      must be rewritten once we know how to handle correctly templates")