Added a test in order to check if the read_permissions and write_permissions are

respected at portal_preferences acessors.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36285 20353a03-c40f-0410-a6d1-a30d3c3de9de

product/ERP5Form/PreferenceTool.py

@@ -97,6 +97,8 @@ def createPreferenceToolAccessorList(portal) :
   # Generate common method names
   for prop in property_list:
     if prop.get('preference'):
+      # XXX read_permission and write_permissions defined at
+      # property sheet are not respected by this.
       # only properties marked as preference are used
       attribute = prop['id']
       attr_list = [ 'get%s' % convertToUpperCase(attribute)]

product/ERP5Form/tests/testPreferences.py

@@ -34,6 +34,7 @@ import transaction
 from AccessControl.SecurityManagement import noSecurityManager
 from AccessControl.SecurityManagement import getSecurityManager
 from zExceptions import Unauthorized
+from AccessControl.ZopeGuards import guarded_hasattr
 from DateTime import DateTime
 
 from Products.ERP5Type.tests.testERP5Type import PropertySheetTestCase
@@ -527,7 +528,56 @@ class TestPreferences(PropertySheetTestCase):
 
     self.assertTrue(portal_preferences.getDummy())
     self.assertTrue(portal_preferences.isDummy())
+
+  def test_property_sheet_security_on_permission(self):
+    """ Added a test to make sure permissions are used into portal
+        preference level. """
+    write_permission = 'Modify portal content'
+    read_permission = 'Manage portal'
+    self._addPropertySheet('Preference', 'DummyPreference',
+        '''class DummyPreference:
+             _properties= ( {'id': 'preferred_toto',
+                             'write_permission' : 'Modify portal content',
+                             'read_permission'  : 'Manage portal',
+                             'preference': 1,
+                             'type': 'string',},)''')
+
+    obj = self.portal.portal_preferences.newContent(portal_type='Preference')
+    obj.enable()
+    transaction.commit()
+    self.tic()
     
+    self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
+    obj.setPreferredToto("A TEST")
+    self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))
+
+    obj.manage_permission(write_permission, [], 0)
+    self.assertFalse(guarded_hasattr(obj, 'setPreferredToto'))
+    self.assertTrue(guarded_hasattr(obj, 'getPreferredToto'))
+
+    obj.manage_permission(write_permission, ['Manager'], 1)
+    obj.manage_permission(read_permission, [], 0)
+    self.assertTrue(guarded_hasattr(obj, 'setPreferredToto'))
+    self.assertFalse(guarded_hasattr(obj, 'getPreferredToto'))
+
+    obj.manage_permission(read_permission, ['Manager'], 1)
+
+    transaction.commit()
+    self.tic()
+
+    preference_tool = self.portal.portal_preferences
+    self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))
+    self.assertEquals("A TEST", preference_tool.getPreferredToto())
+
+    preference_tool.manage_permission(write_permission, [], 0)
+    self.assertTrue(guarded_hasattr(preference_tool, 'getPreferredToto'))
+
+    preference_tool.manage_permission(write_permission, ['Manager'], 1)
+    preference_tool.manage_permission(read_permission, [], 0)
+    obj.manage_permission(read_permission, [], 0)
+    self.assertFalse(guarded_hasattr(preference_tool, 'getPreferredToto'))
+
+    preference_tool.manage_permission(read_permission, ['Manager'], 1)
 
 def test_suite():
   suite = unittest.TestSuite()