ZODB Components: Only Manager or Developer Role should be able to access...

ZODB Components: Only Manager or Developer Role should be able to access Component Tools and Components.

ZODB Components: Only Manager or Developer Role should be able to access...
ZODB Components: Only Manager or Developer Role should be able to access Component Tools and Components.
e695947f · Arnaud Fontaine · 5df5fcf7 · e695947f · e695947f
Commit e695947f authored Aug 15, 2013 by Arnaud Fontaine
Showing with 11 additions and 5 deletions

product/ERP5Type/Tool/ComponentTool.py product/ERP5Type/Tool/ComponentTool.py +5 -5

product/ERP5Type/tests/testDynamicClassGeneration.py product/ERP5Type/tests/testDynamicClassGeneration.py +6 -0

No files found.
--- a/product/ERP5Type/Tool/ComponentTool.py
+++ b/product/ERP5Type/Tool/ComponentTool.py
@@ -82,12 +82,12 @@ class ComponentTool(BaseTool):
        permission_function = lambda self: ('Manager',)
      elif permission_name in ('Change permissions', 'Define permissions'):
        permission_function = lambda self: ()
-      elif not (permission_name.startswith('Access ') or
+      elif (permission_name.startswith('Access ') or
-                permission_name.startswith('View') or
+            permission_name.startswith('View') or
-                permission_name.startswith('WebDAV')):
+            permission_name == 'WebDAV access'):
-        permission_function = lambda self: ('Developer',)
+        permission_function = lambda self: ('Developer', 'Manager')
      else:
-        continue
+        permission_function = lambda self: ('Developer',)
      setattr(cls, pname(permission_name), property(permission_function))

--- a/product/ERP5Type/tests/testDynamicClassGeneration.py
+++ b/product/ERP5Type/tests/testDynamicClassGeneration.py
@@ -1856,6 +1856,12 @@ def bar(*args, **kwargs):
    self.tic()
+    # Anonymous should not even be able to view/access Component Tool
+    self.failIfUserCanViewDocument(None, self._component_tool)
+    self.failIfUserCanAccessDocument(None, self._component_tool)
+    self.failIfUserCanViewDocument(None, component)
+    self.failIfUserCanAccessDocument(None, component)
    user_id = 'ERP5TypeTestCase'
    self.assertUserCanChangeLocalRoles(user_id, self._component_tool)