[Erp5-report] r20200 - in /erp5/trunk/products/ERP5Type: Base.py tests/testERP5Type.py

nobody at svn.erp5.org nobody at svn.erp5.org
Fri Mar 28 18:21:50 CET 2008 

Author: jerome
Date: Fri Mar 28 18:21:50 2008
New Revision: 20200

URL: http://svn.erp5.org?rev=20200&view=rev
Log:
Fix behaviour of category accessors when a document is related to
another document you cannot access.
The behaviour was different wether you call use default accessor or list accessor:
 - get(Category)Value raises Unauthorized
 - get(Category)ValueList filters documents you cannot access (because
   exceptions are ignored).

As you can pass checked_permission= to explicitly filter documents you cannot
access, get(Category)ValueList should raise Unauthorized, this also makes
behaviour consistent with get(Category)Value.

Modified:
    erp5/trunk/products/ERP5Type/Base.py
    erp5/trunk/products/ERP5Type/tests/testERP5Type.py

Modified: erp5/trunk/products/ERP5Type/Base.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Base.py?rev=20200&r1=20199&r2=20200&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Base.py (original)
+++ erp5/trunk/products/ERP5Type/Base.py Fri Mar 28 18:21:50 2008
@@ -2007,13 +2007,7 @@
     ref_list = []
     for path in self._getAcquiredCategoryMembershipList(id, base=1,
                                                 spec=spec,  filter=filter, **kw):
-      try:
-        value = self._getCategoryTool().resolveCategory(path)
-        if value is not None: ref_list.append(value)
-      except ConflictError:
-        raise
-      except:
-        LOG("ERP5Type WARNING",0,"category %s has no object value" % path, error=sys.exc_info())
+      ref_list.append(self._getCategoryTool().resolveCategory(path))
     return ref_list
 
   security.declareProtected(Permissions.AccessContentsInformation, 

Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=20200&r1=20199&r2=20200&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py Fri Mar 28 18:21:50 2008
@@ -40,6 +40,7 @@
 from Products.ERP5Type.Utils import removeLocalPropertySheet
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl import getSecurityManager
+from AccessControl import Unauthorized
 from Products.ERP5Type.tests.utils import createZODBPythonScript
 from Products.ERP5Type.tests.utils import removeZODBPythonScript
 
@@ -1763,6 +1764,65 @@
                     checked_permission=checked_permission)
       self.assertSameSet([beta_path, gamma_path], foo.getRegionList())
     
+    def test_category_accessor_to_unaccessible_documents(self):
+      # Category Accessors raises Unauthorized when you try to access objects
+      # you cannot Access, unless you explictly pass checked_permission=
+
+      region_category = self.getPortal().portal_categories.region
+      beta_id = "beta"
+      beta_title = "Beta System"
+      beta = region_category.newContent(
+              portal_type = "Category",
+              id =          beta_id,
+              title =       beta_title, )
+      beta_path = beta.getCategoryRelativeUrl()
+
+      beta.manage_permission('View', roles=[], acquire=0)
+      beta.manage_permission('Access contents information', roles=[], acquire=0)
+      # with this security setting, it's not possible to access "beta":
+      self.assertRaises(Unauthorized,
+          region_category.restrictedTraverse, "beta")
+
+      gamma_id = "gamma"
+      gamma_title = "Gamma System"
+      gamma = region_category.newContent(
+              portal_type = "Category",
+              id =          gamma_id,
+              title =       gamma_title, )
+      gamma_path = gamma.getCategoryRelativeUrl()
+
+      # Make sure categories are reindexed
+      get_transaction().commit()
+      self.tic()
+
+      # Create a new person, and associate it to beta and gamma.
+      module = self.getPersonModule()
+      foo = module.newContent(portal_type='Person', title='Foo')
+      foo.setRegionValueList((beta, gamma))
+
+      # getRegionList returns relative URLs, no security checks are applied
+      self.assertEquals([beta_path, gamma_path],
+                        foo.getRegionList())
+      self.assertEquals([gamma_path],
+          foo.getRegionList(checked_permission='View'))
+      
+      # getRegionValueList raises Unauthorized if document is related to
+      # private documents (as always, unless you pass checked_permission)
+      self.assertRaises(Unauthorized, foo.getRegionValueList)
+      self.assertRaises(Unauthorized, foo.getRegionValueSet)
+      self.assertEquals([gamma],
+          foo.getRegionValueList(checked_permission='View'))
+
+      # same for property accessors 
+      self.assertRaises(Unauthorized, foo.getRegionTitleList)
+      self.assertRaises(Unauthorized, foo.getRegionTitleSet)
+      self.assertEquals(["Gamma System"],
+          foo.getRegionTitleList(checked_permission='View'))
+
+      # same for default accessors
+      self.assertRaises(Unauthorized, foo.getRegionValue)
+      self.assertRaises(Unauthorized, foo.getRegionTitle)
+
     def test_list_accessors(self):
       self._addProperty('Person', '''{'id': 'dummy',
                                       'type': 'lines',

More information about the Erp5-report mailing list