[Erp5-dev] Strange cases with security in Unit tests

[Mikolaj Antoszkiewicz]

Mikolaj Antoszkiewicz wrote:
> Hello,
> 
> When playing tests I got halted on such a curious (for me) situation.
> - As userA I'm creating the (tweaked) event object and setting myself as 
> event's source.
> - Then I change the source to userB (logged in as user_manager)
> - Security is set to give View and Access Content Information permission 
> to the user who is source.
> - The permissions are set, and verified successfully with 
> 'has_permission' method, but...
> i get this exception when trying to do event.view()
> 
> *** Unauthorized: Your user account does not have the required permission.
>     Access to 'sales_rep_A' of (Folder at /Bziubziak/person_module) denied.
>     Your user account, sales_rep_B, exists at /Bziubziak/acl_users.
>     Access requires Access_contents_information_Permission, granted to 
> the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor', 
> 'Author', 'Manager', 'Owner'].
>     Your roles in this context are ['Authenticated', 'Member'].
> 
> It seems there should be some relations to userA still set on the event 
> object. Well...
> To prove that userA is no longer related in any way to that object, 
> here's its Dict attached.
> 
> Can entries in workflow_history have any influence on that? I think that 
> no. What other relations not listed in showDict might exist that cause 
> such error?
> 
> 
> Also there is a case where user doesn't have modify permissions on the 
> object, can't even View it, but I can manually execute setter and getter 
> methods on it (in test only).
> Is this a know case? Should such checks be made strictly using 
> has_permission methods and not by trying to actually modify/view object?
> 
> Concerned,
> Mikolaj

Sorry, wrong dict attached. This one looks much better... :)

M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20071114/404409e3/attachment.htm>