[Erp5-report] r20998 - in /erp5/trunk/products/ERP5Type: Accessor/ tests/

nobody at svn.erp5.org nobody at svn.erp5.org
Fri May 16 16:29:50 CEST 2008 

Author: aurel
Date: Fri May 16 16:29:50 2008
New Revision: 20998

URL: http://svn.erp5.org?rev=20998&view=rev
Log:
make the security works on accessors
add unit test for it
patch done by Romain and Jerome

Modified:
    erp5/trunk/products/ERP5Type/Accessor/Accessor.py
    erp5/trunk/products/ERP5Type/tests/testERP5Type.py

Modified: erp5/trunk/products/ERP5Type/Accessor/Accessor.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/Accessor/Accessor.py?rev=20998&r1=20997&r2=20998&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/Accessor/Accessor.py (original)
+++ erp5/trunk/products/ERP5Type/Accessor/Accessor.py Fri May 16 16:29:50 2008
@@ -35,6 +35,11 @@
     """
       Generic Accessor - placehold for common methods
     """
+    class __roles__:
+      @staticmethod
+      def rolesForPermissionOn(ob):
+        return getattr(ob.im_self, '%s__roles__' % ob.__name__)
+
     def __getinitargs__(self):
       init = getattr(self, '__init__', None)
       if init is not None:
@@ -62,4 +67,4 @@
     def asReindexAlias(self, id):
       # Returns a reindexing alias
       from Alias import ReindexAlias
-      return ReindexAlias(id, self.__name__)
+      return ReindexAlias(id, self.__name__)

Modified: erp5/trunk/products/ERP5Type/tests/testERP5Type.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/tests/testERP5Type.py?rev=20998&r1=20997&r2=20998&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/tests/testERP5Type.py (original)
+++ erp5/trunk/products/ERP5Type/tests/testERP5Type.py Fri May 16 16:29:50 2008
@@ -42,8 +42,10 @@
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr, guarded_hasattr
 from Products.ERP5Type.tests.utils import createZODBPythonScript
 from Products.ERP5Type.tests.utils import removeZODBPythonScript
+from Products.ERP5Type import Permissions
 
 class PropertySheetTestCase(ERP5TypeTestCase):
   """Base test case class for property sheets tests.
@@ -2093,6 +2095,106 @@
       finally:
         removeZODBPythonScript(script_container, script_id)
 
+    def test_DefaultSecurityOnAccessors(self):
+      # Test accessors are protected correctly
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'type':       'string',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
+    def test_DefaultSecurityOnListAccessors(self):
+      # Test list accessors are protected correctly
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'type':       'lines',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBarList'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBarList'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBarList'))
+
+    def test_DefaultSecurityOnCategoryAccessors(self):
+      # Test category accessors are protected correctly
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+      
+      # setter is protected by default with modify portal content
+      obj.manage_permission(Permissions.ModifyPortalContent, [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setRegion'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionList'))
+      self.assertFalse(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'getRegionValueList'))
+      
+      # getter is protected with Access content information
+      obj.manage_permission(Permissions.ModifyPortalContent, ['Manager'], 1)
+      obj.manage_permission(Permissions.AccessContentsInformation, [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setRegion'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValue'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionList'))
+      self.assertTrue(guarded_hasattr(obj, 'setRegionValueList'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegion'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionValue'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionList'))
+      self.assertFalse(guarded_hasattr(obj, 'getRegionValueList'))
+
+    def test_PropertySheetSecurityOnAccessors(self):
+      # Test accessors are protected correctly when you specify the permission
+      # in the property sheet.
+      self._addProperty('Person',
+                  ''' { 'id':         'foo_bar',
+                        'write_permission' : 'Set own password',
+                        'read_permission'  : 'Manage users',
+                        'type':       'string',
+                        'mode':       'w', }''')
+      obj = self.getPersonModule().newContent(portal_type='Person')
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      obj.manage_permission('Set own password', [], 0)
+      self.assertFalse(guarded_hasattr(obj, 'setFooBar'))
+      self.assertTrue(guarded_hasattr(obj, 'getFooBar'))
+      
+      obj.manage_permission('Set own password', ['Manager'], 1)
+      obj.manage_permission('Manage users', [], 0)
+      self.assertTrue(guarded_hasattr(obj, 'setFooBar'))
+      self.assertFalse(guarded_hasattr(obj, 'getFooBar'))
+
 def test_suite():
   suite = unittest.TestSuite()
   suite.addTest(unittest.makeSuite(TestERP5Type))

More information about the Erp5-report mailing list