[Erp5-report] r11099 - in /erp5/trunk/products/ERP5Catalog: ./ tests/

nobody at svn.erp5.org nobody at svn.erp5.org
Mon Nov 6 10:10:58 CET 2006 

Author: alex
Date: Mon Nov  6 10:10:54 2006
New Revision: 11099

URL: http://svn.erp5.org?rev=11099&view=rev
Log:
ERP5Catalog queries now handle proxy roles correctly (test included)

Modified:
    erp5/trunk/products/ERP5Catalog/CatalogTool.py
    erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py

Modified: erp5/trunk/products/ERP5Catalog/CatalogTool.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/CatalogTool.py?rev=11099&r1=11098&r2=11099&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/CatalogTool.py (original)
+++ erp5/trunk/products/ERP5Catalog/CatalogTool.py Mon Nov  6 10:10:54 2006
@@ -291,7 +291,18 @@
       security_product = getSecurityProduct(self.acl_users)
       if security_product == SECURITY_USING_PAS:
         # We use ERP5Security PAS based authentication
-        result = list( user.getRoles() )
+        try:
+          # check for proxy role in stack
+          eo = getSecurityManager()._context.stack[-1]
+          proxy_roles = getattr(eo,'_proxy_roles',None)
+        except IndexError:
+          proxy_roles = None
+        if proxy_roles:
+          # apply proxy roles
+          user = eo.getOwner()
+          result = list( proxy_roles )
+        else:
+          result = list( user.getRoles() )
         result.append( 'Anonymous' )
         result.append( 'user:%s' % user.getId() )
         # deal with groups

Modified: erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py?rev=11099&r1=11098&r2=11099&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py (original)
+++ erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py Mon Nov  6 10:10:54 2006
@@ -36,10 +36,13 @@
 
 from Testing import ZopeTestCase
 from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from AccessControl import getSecurityManager
 from AccessControl.SecurityManagement import newSecurityManager
 from zLOG import LOG
 from DateTime import DateTime
 from Products.CMFCore.tests.base.testcase import LogInterceptor
+from Testing.ZopeTestCase.PortalTestCase import PortalTestCase
+from Products.ERP5Type.tests.utils import createZODBPythonScript
 
 try:
   from transaction import get as get_transaction
@@ -1044,3 +1047,57 @@
     get_transaction().commit()
     self.tic()
     self.assertEquals(0, len(folder.searchFolder()))
+
+  def test_ProxyRolesInRestrictedPython(self, quiet=quiet, run=run_all_test):
+    """test that proxy roles apply to catalog queries within python scripts
+    """
+    if not run: return
+    login = PortalTestCase.login
+    perm = 'View'
+
+    uf = self.getPortal().acl_users
+    uf._doAddUser('alice', '', ['Member', 'Manager', 'Assignor'], [])
+    uf._doAddUser('bob', '', ['Member'], [])
+    # create restricted object
+    login(self, 'alice')
+    folder = self.getOrganisationModule()
+    ob = folder.newContent()
+    # make sure permissions are correctly set
+    folder.manage_permission('Access contents information', ['Member'], 1)
+    folder.manage_permission(perm, ['Member'], 1)
+    ob.manage_permission('Access contents information', ['Member'], 1)
+    ob.manage_permission(perm, ['Manager'], 0)
+    get_transaction().commit()
+    self.tic()
+    # check access
+    self.assertEquals(1, getSecurityManager().checkPermission(perm, folder))
+    self.assertEquals(1, getSecurityManager().checkPermission(perm, ob))
+    login(self, 'bob')
+    self.assertEquals(1, getSecurityManager().checkPermission(perm, folder))
+    self.assertEquals(None, getSecurityManager().checkPermission(perm, ob))
+    # add a script that calls a catalog method
+    login(self, 'alice')
+    script = createZODBPythonScript(self.getPortal().portal_skins.custom,
+        'catalog_test_script', '', "return len(context.searchFolder())")
+
+    # test without proxy role
+    self.assertEquals(1, folder.catalog_test_script())
+    login(self, 'bob')
+    self.assertEquals(0, folder.catalog_test_script())
+
+    # test with proxy role and correct role
+    login(self, 'alice')
+    script.manage_proxy(['Manager'])
+    self.assertEquals(1, folder.catalog_test_script())
+    login(self, 'bob')
+    self.assertEquals(1, folder.catalog_test_script())
+
+    # test with proxy role and wrong role
+    login(self, 'alice')
+    script.manage_proxy(['Assignor'])
+    # proxy roles must overwrite the user's roles, even if he is the owner
+    # of the script
+    self.assertEquals(0, folder.catalog_test_script())
+    login(self, 'bob')
+    self.assertEquals(0, folder.catalog_test_script())
+

More information about the Erp5-report mailing list