officejs_test: Initial security Test

bt5/officejs_test/TestTemplateItem/portal_components/test.erp5.testOfficeJSSecurity.py

+##############################################################################
+#
+# Copyright (c) 2002-2017 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.tests.SecurityTestCase import SecurityTestCase
+#from unittest import expectedFailure
+#from zLOG import LOG, INFO, ERROR
+import time
+TEST_USER_BASE = "test_eos_user"
+
+class TestOfficeJSSecurity(SecurityTestCase):
+
+  def afterSetUp(self):
+    """
+    This is ran before anything, used to set the environment
+    """
+    pass
+
+  def beforeTearDown(self):
+    pass
+
+  def getTitle(self):
+    return "Test OfficeJS Security"
+
+  def getBusinessTemplateList(self):
+    """
+    Tuple of Business Templates we need to install
+    """
+    return ('erp5_base',)
+
+  def checkNewMember(self, person, website_id="letitseed"):
+    self.assertEqual(repr(sorted(person.getCareerRoleList())), repr(["author"]))
+    assignment, = person.searchFolder(portal_type="Assignment", validation_state="open") # not "opened"!
+    self.assertEqual(
+      repr(sorted(assignment.getCategoryList())),
+      repr(["role/author"]))
+
+  def _newMemberNoTicNoCheck(self,
+                 tag="user_creation_in_progress",
+                 first_name="John_test",
+                 last_name="Smith_test",
+                 reference=TEST_USER_BASE,
+                 email="john.smith@test.com",
+                 special_id=None):
+    """
+    Add new member using script for the website sign-in
+    """
+    if special_id is not None:
+      reference += "%s" % special_id
+    else:
+      reference += "%s" % time.time()
+    # XXX
+    user_list = self.portal.portal_catalog(portal_type="Person", reference=reference)
+    self.assertEqual(len(user_list), 0)
+    user = self.portal.person_module.newContent(
+      portal_type="Person",
+      reference=reference,
+      first_name=first_name,
+      last_name=last_name,
+      default_email_coordinate_text=email,
+    )
+    user.validate()
+    assignment = user.newContent(portal_type="Assignment", title=reference)
+    assignment.setCategoryList(["role/author"])
+    assignment.open()
+    user.setCareerRoleList(["author"])
+    return user
+
+  def _newMemberAndTic(self, *args, **kwargs):
+    user = self._newMemberNoTicNoCheck(*args, **kwargs)
+    self.tic()
+    self.checkNewMember(user)
+    return user
+
+  def test_01_user_see_itself_but_noone_else(self):
+    person = self._newMemberNoTicNoCheck()
+    second_user = self._newMemberNoTicNoCheck(special_id="%s_3" % time.time())
+    self.tic()
+    self.failUnlessUserCanViewDocument(person.getUserId(),
+                                       person)
+    self.failIfUserCanModifyDocument(person.getUserId(),
+                                     person)
+    self.failIfUserCanViewDocument(second_user.getUserId(),
+                                   person)

bt5/officejs_test/TestTemplateItem/portal_components/test.erp5.testOfficeJSSecurity.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Test Component" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_recorded_property_dict</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>default_reference</string> </key>
+            <value> <string>testOfficeJSSecurity</string> </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>test.erp5.testOfficeJSSecurity</string> </value>
+        </item>
+        <item>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Test Component</string> </value>
+        </item>
+        <item>
+            <key> <string>sid</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_error_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>text_content_warning_message</string> </key>
+            <value>
+              <tuple/>
+            </value>
+        </item>
+        <item>
+            <key> <string>version</string> </key>
+            <value> <string>erp5</string> </value>
+        </item>
+        <item>
+            <key> <string>workflow_history</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary>
+                <item>
+                    <key> <string>component_validation_workflow</string> </key>
+                    <value>
+                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                    </value>
+                </item>
+              </dictionary>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="4" aka="AAAAAAAAAAQ=">
+    <pickle>
+      <global name="WorkflowHistoryList" module="Products.ERP5Type.patches.WorkflowTool"/>
+    </pickle>
+    <pickle>
+      <tuple>
+        <none/>
+        <list>
+          <dictionary>
+            <item>
+                <key> <string>action</string> </key>
+                <value> <string>validate</string> </value>
+            </item>
+            <item>
+                <key> <string>validation_state</string> </key>
+                <value> <string>validated</string> </value>
+            </item>
+          </dictionary>
+        </list>
+      </tuple>
+    </pickle>
+  </record>
+</ZopeData>

bt5/officejs_test/bt/copyright_list

+2017
\ No newline at end of file

bt5/officejs_test/bt/dependency_list

+officejs_base
+officejs_security
\ No newline at end of file

bt5/officejs_test/bt/maintainer_list

+Cédric Le Ninivin
\ No newline at end of file

bt5/officejs_test/bt/template_format_version

+1
\ No newline at end of file

bt5/officejs_test/bt/template_test_id_list

+test.erp5.testOfficeJSSecurity
\ No newline at end of file

bt5/officejs_test/bt/title

+officejs_test
\ No newline at end of file