[Erp5-report] r20998 - in /erp5/trunk/products/ERP5Type: Accessor/ tests/
nobody at svn.erp5.org
nobody at svn.erp5.org
Fri May 16 16:29:50 CEST 2008
Author: aurel
Date: Fri May 16 16:29:50 2008
New Revision: 20998
URL: http://svn.erp5.org?rev=20998&view=rev
Log:
make the security works on accessors
add unit test for it
patch done by Romain and Jerome
Modified:
erp5/trunk/products/ERP5Type/Accessor/Accessor.py
erp5/trunk/products/ERP5Type/tests/testERP5Type.py
Modified: erp5/trunk/products/ERP5Type/Accessor/Accessor.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Accessor.py?rev=20998&r1=20997&r2=20998&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Accessor.py (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Accessor.py Fri May 16 16:29:50 2008
@@ -35,6 +35,11 @@
"""
Generic Accessor - placehold for common methods
"""
+ class __roles__:
+ @staticmethod
+ def rolesForPermissionOn(ob):
+ return getattr(ob.im_self, '%s__roles__' % ob.__name__)
+
def __getinitargs__(self):
init = getattr(self, '__init__', None)
if init is not None:
@@ -62,4 +67,4 @@
def asReindexAlias(self, id):
# Returns a reindexing alias
from Alias import ReindexAlias
- return ReindexAlias(id, self.__name__)
+ return ReindexAlias(id, self.__name__)
Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=20998&r1=20997&r2=20998&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py Fri May 16 16:29:50 2008
@@ -42,8 +42,10 @@
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager
from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr, guarded_hasattr
from Products.ERP5Type.tests.utils import createZODBPythonScript
from Products.ERP5Type.tests.utils import removeZODBPythonScript
+from Products.ERP5Type import Permissions
class PropertySheetTestCase(ERP5TypeTestCase):
"""Base test case class for property sheets tests.
@@ -2093,6 +2095,106 @@
finally:
removeZODBPythonScript(script_container, script_id)
+ def test_DefaultSecurityOnAccessors(self):
+ # Test accessors are protected correctly
+ self._addProperty('Person',
+ ''' { 'id': 'foo_bar',
+ 'type': 'string',
+ 'mode': 'w', }''')
+ obj = self.getPersonModule().newContent(portal_type='Person')
+
+ self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+
+ # setter is protected by default with modify portal content
+ obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+ self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+
+ # getter is protected with Access content information
+ obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+ obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+ self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+ self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
+ def test_DefaultSecurityOnListAccessors(self):
+ # Test list accessors are protected correctly
+ self._addProperty('Person',
+ ''' { 'id': 'foo_bar',
+ 'type': 'lines',
+ 'mode': 'w', }''')
+ obj = self.getPersonModule().newContent(portal_type='Person')
+ self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+
+ # setter is protected by default with modify portal content
+ obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+ self.assertFalse(guarded_hasattr(obj, 'setFooBarList'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+
+ # getter is protected with Access content information
+ obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+ obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+ self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+ self.assertFalse(guarded_hasattr(obj, 'getFooBarList'))
+
+ def test_DefaultSecurityOnCategoryAccessors(self):
+ # Test category accessors are protected correctly
+ obj = self.getPersonModule().newContent(portal_type='Person')
+ self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+
+ # setter is protected by default with modify portal content
+ obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+ self.assertFalse(guarded_hasattr(obj, 'setRegion'))
+ self.assertFalse(guarded_hasattr(obj, 'setRegionValue'))
+ self.assertFalse(guarded_hasattr(obj, 'setRegionList'))
+ self.assertFalse(guarded_hasattr(obj, 'setRegionValueList'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+ self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+
+ # getter is protected with Access content information
+ obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+ obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+ self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+ self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+ self.assertFalse(guarded_hasattr(obj, 'getRegion'))
+ self.assertFalse(guarded_hasattr(obj, 'getRegionValue'))
+ self.assertFalse(guarded_hasattr(obj, 'getRegionList'))
+ self.assertFalse(guarded_hasattr(obj, 'getRegionValueList'))
+
+ def test_PropertySheetSecurityOnAccessors(self):
+ # Test accessors are protected correctly when you specify the permission
+ # in the property sheet.
+ self._addProperty('Person',
+ ''' { 'id': 'foo_bar',
+ 'write_permission' : 'Set own password',
+ 'read_permission' : 'Manage users',
+ 'type': 'string',
+ 'mode': 'w', }''')
+ obj = self.getPersonModule().newContent(portal_type='Person')
+ self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+
+ obj.manage_permission('Set own password', [], 0)
+ self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+ self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+
+ obj.manage_permission('Set own password', ['Manager'], 1)
+ obj.manage_permission('Manage users', [], 0)
+ self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+ self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestERP5Type))
More information about the Erp5-report
mailing list