[Erp5-report] r20200 - in /erp5/trunk/products/ERP5Type: Base.py tests/testERP5Type.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Fri Mar 28 18:21:50 CET 2008
Author: jerome
Date: Fri Mar 28 18:21:50 2008
New Revision: 20200
URL: http://svn.erp5.org?rev=20200&view=rev
Log:
Fix behaviour of category accessors when a document is related to
another document you cannot access.
The behaviour was different wether you call use default accessor or list accessor:
- get(Category)Value raises Unauthorized
- get(Category)ValueList filters documents you cannot access (because
exceptions are ignored).
As you can pass checked_permission= to explicitly filter documents you cannot
access, get(Category)ValueList should raise Unauthorized, this also makes
behaviour consistent with get(Category)Value.
Modified:
erp5/trunk/products/ERP5Type/Base.py
erp5/trunk/products/ERP5Type/tests/testERP5Type.py
Modified: erp5/trunk/products/ERP5Type/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Base.py?rev=20200&r1=20199&r2=20200&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Base.py (original)
+++ erp5/trunk/products/ERP5Type/Base.py Fri Mar 28 18:21:50 2008
@@ -2007,13 +2007,7 @@
ref_list = []
for path in self._getAcquiredCategoryMembershipList(id, base=1,
spec=spec, filter=filter, **kw):
- try:
- value = self._getCategoryTool().resolveCategory(path)
- if value is not None: ref_list.append(value)
- except ConflictError:
- raise
- except:
- LOG("ERP5Type WARNING",0,"category %s has no object value" % path, error=sys.exc_info())
+ ref_list.append(self._getCategoryTool().resolveCategory(path))
return ref_list
security.declareProtected(Permissions.AccessContentsInformation,
Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=20200&r1=20199&r2=20200&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py Fri Mar 28 18:21:50 2008
@@ -40,6 +40,7 @@
from Products.ERP5Type.Utils import removeLocalPropertySheet
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager
+from AccessControl import Unauthorized
from Products.ERP5Type.tests.utils import createZODBPythonScript
from Products.ERP5Type.tests.utils import removeZODBPythonScript
@@ -1763,6 +1764,65 @@
checked_permission=checked_permission)
self.assertSameSet([beta_path, gamma_path], foo.getRegionList())
+ def test_category_accessor_to_unaccessible_documents(self):
+ # Category Accessors raises Unauthorized when you try to access objects
+ # you cannot Access, unless you explictly pass checked_permission=
+
+ region_category = self.getPortal().portal_categories.region
+ beta_id = "beta"
+ beta_title = "Beta System"
+ beta = region_category.newContent(
+ portal_type = "Category",
+ id = beta_id,
+ title = beta_title, )
+ beta_path = beta.getCategoryRelativeUrl()
+
+ beta.manage_permission('View', roles=[], acquire=0)
+ beta.manage_permission('Access contents information', roles=[], acquire=0)
+ # with this security setting, it's not possible to access "beta":
+ self.assertRaises(Unauthorized,
+ region_category.restrictedTraverse, "beta")
+
+ gamma_id = "gamma"
+ gamma_title = "Gamma System"
+ gamma = region_category.newContent(
+ portal_type = "Category",
+ id = gamma_id,
+ title = gamma_title, )
+ gamma_path = gamma.getCategoryRelativeUrl()
+
+ # Make sure categories are reindexed
+ get_transaction().commit()
+ self.tic()
+
+ # Create a new person, and associate it to beta and gamma.
+ module = self.getPersonModule()
+ foo = module.newContent(portal_type='Person', title='Foo')
+ foo.setRegionValueList((beta, gamma))
+
+ # getRegionList returns relative URLs, no security checks are applied
+ self.assertEquals([beta_path, gamma_path],
+ foo.getRegionList())
+ self.assertEquals([gamma_path],
+ foo.getRegionList(checked_permission='View'))
+
+ # getRegionValueList raises Unauthorized if document is related to
+ # private documents (as always, unless you pass checked_permission)
+ self.assertRaises(Unauthorized, foo.getRegionValueList)
+ self.assertRaises(Unauthorized, foo.getRegionValueSet)
+ self.assertEquals([gamma],
+ foo.getRegionValueList(checked_permission='View'))
+
+ # same for property accessors
+ self.assertRaises(Unauthorized, foo.getRegionTitleList)
+ self.assertRaises(Unauthorized, foo.getRegionTitleSet)
+ self.assertEquals(["Gamma System"],
+ foo.getRegionTitleList(checked_permission='View'))
+
+ # same for default accessors
+ self.assertRaises(Unauthorized, foo.getRegionValue)
+ self.assertRaises(Unauthorized, foo.getRegionTitle)
+
def test_list_accessors(self):
self._addProperty('Person', '''{'id': 'dummy',
'type': 'lines',
More information about the Erp5-report
mailing list