[Erp5-report] r11099 - in /erp5/trunk/products/ERP5Catalog: ./ tests/
nobody at svn.erp5.org
nobody at svn.erp5.org
Mon Nov 6 10:10:58 CET 2006
Author: alex
Date: Mon Nov 6 10:10:54 2006
New Revision: 11099
URL: http://svn.erp5.org?rev=11099&view=rev
Log:
ERP5Catalog queries now handle proxy roles correctly (test included)
Modified:
erp5/trunk/products/ERP5Catalog/CatalogTool.py
erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py
Modified: erp5/trunk/products/ERP5Catalog/CatalogTool.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/CatalogTool.py?rev=11099&r1=11098&r2=11099&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/CatalogTool.py (original)
+++ erp5/trunk/products/ERP5Catalog/CatalogTool.py Mon Nov 6 10:10:54 2006
@@ -291,7 +291,18 @@
security_product = getSecurityProduct(self.acl_users)
if security_product == SECURITY_USING_PAS:
# We use ERP5Security PAS based authentication
- result = list( user.getRoles() )
+ try:
+ # check for proxy role in stack
+ eo = getSecurityManager()._context.stack[-1]
+ proxy_roles = getattr(eo,'_proxy_roles',None)
+ except IndexError:
+ proxy_roles = None
+ if proxy_roles:
+ # apply proxy roles
+ user = eo.getOwner()
+ result = list( proxy_roles )
+ else:
+ result = list( user.getRoles() )
result.append( 'Anonymous' )
result.append( 'user:%s' % user.getId() )
# deal with groups
Modified: erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py?rev=11099&r1=11098&r2=11099&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py (original)
+++ erp5/trunk/products/ERP5Catalog/tests/testERP5Catalog.py Mon Nov 6 10:10:54 2006
@@ -36,10 +36,13 @@
from Testing import ZopeTestCase
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from AccessControl import getSecurityManager
from AccessControl.SecurityManagement import newSecurityManager
from zLOG import LOG
from DateTime import DateTime
from Products.CMFCore.tests.base.testcase import LogInterceptor
+from Testing.ZopeTestCase.PortalTestCase import PortalTestCase
+from Products.ERP5Type.tests.utils import createZODBPythonScript
try:
from transaction import get as get_transaction
@@ -1044,3 +1047,57 @@
get_transaction().commit()
self.tic()
self.assertEquals(0, len(folder.searchFolder()))
+
+ def test_ProxyRolesInRestrictedPython(self, quiet=quiet, run=run_all_test):
+ """test that proxy roles apply to catalog queries within python scripts
+ """
+ if not run: return
+ login = PortalTestCase.login
+ perm = 'View'
+
+ uf = self.getPortal().acl_users
+ uf._doAddUser('alice', '', ['Member', 'Manager', 'Assignor'], [])
+ uf._doAddUser('bob', '', ['Member'], [])
+ # create restricted object
+ login(self, 'alice')
+ folder = self.getOrganisationModule()
+ ob = folder.newContent()
+ # make sure permissions are correctly set
+ folder.manage_permission('Access contents information', ['Member'], 1)
+ folder.manage_permission(perm, ['Member'], 1)
+ ob.manage_permission('Access contents information', ['Member'], 1)
+ ob.manage_permission(perm, ['Manager'], 0)
+ get_transaction().commit()
+ self.tic()
+ # check access
+ self.assertEquals(1, getSecurityManager().checkPermission(perm, folder))
+ self.assertEquals(1, getSecurityManager().checkPermission(perm, ob))
+ login(self, 'bob')
+ self.assertEquals(1, getSecurityManager().checkPermission(perm, folder))
+ self.assertEquals(None, getSecurityManager().checkPermission(perm, ob))
+ # add a script that calls a catalog method
+ login(self, 'alice')
+ script = createZODBPythonScript(self.getPortal().portal_skins.custom,
+ 'catalog_test_script', '', "return len(context.searchFolder())")
+
+ # test without proxy role
+ self.assertEquals(1, folder.catalog_test_script())
+ login(self, 'bob')
+ self.assertEquals(0, folder.catalog_test_script())
+
+ # test with proxy role and correct role
+ login(self, 'alice')
+ script.manage_proxy(['Manager'])
+ self.assertEquals(1, folder.catalog_test_script())
+ login(self, 'bob')
+ self.assertEquals(1, folder.catalog_test_script())
+
+ # test with proxy role and wrong role
+ login(self, 'alice')
+ script.manage_proxy(['Assignor'])
+ # proxy roles must overwrite the user's roles, even if he is the owner
+ # of the script
+ self.assertEquals(0, folder.catalog_test_script())
+ login(self, 'bob')
+ self.assertEquals(0, folder.catalog_test_script())
+
More information about the Erp5-report
mailing list