[Erp5-dev] Strange cases with security in Unit tests

Wed Nov 14 19:44:29 CET 2007

Hello,

When playing tests I got halted on such a curious (for me) situation.
- As userA I'm creating the (tweaked) event object and setting myself as 
event's source.
- Then I change the source to userB (logged in as user_manager)
- Security is set to give View and Access Content Information permission 
to the user who is source.
- The permissions are set, and verified successfully with 
'has_permission' method, but...
i get this exception when trying to do event.view()

*** Unauthorized: Your user account does not have the required permission.
     Access to 'sales_rep_A' of (Folder at /Bziubziak/person_module) 
denied.
     Your user account, sales_rep_B, exists at /Bziubziak/acl_users.
     Access requires Access_contents_information_Permission, granted to 
the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor', 
'Author', 'Manager', 'Owner'].
     Your roles in this context are ['Authenticated', 'Member'].

It seems there should be some relations to userA still set on the event 
object. Well...
To prove that userA is no longer related in any way to that object, 
here's its Dict attached.

Can entries in workflow_history have any influence on that? I think that 
no. What other relations not listed in showDict might exist that cause 
such error?

Also there is a case where user doesn't have modify permissions on the 
object, can't even View it, but I can manually execute setter and getter 
methods on it (in test only).
Is this a know case? Should such checks be made strictly using 
has_permission methods and not by trying to actually modify/view object?

Concerned,
Mikolaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20071114/f447e7e6/attachment.html>