[Erp5-dev] Strange cases with security in Unit tests
Mikolaj Antoszkiewicz
mikolaj at erp5.pl
Wed Nov 14 19:49:37 CET 2007
Mikolaj Antoszkiewicz wrote:
> Hello,
>
> When playing tests I got halted on such a curious (for me) situation.
> - As userA I'm creating the (tweaked) event object and setting myself as
> event's source.
> - Then I change the source to userB (logged in as user_manager)
> - Security is set to give View and Access Content Information permission
> to the user who is source.
> - The permissions are set, and verified successfully with
> 'has_permission' method, but...
> i get this exception when trying to do event.view()
>
> *** Unauthorized: Your user account does not have the required permission.
> Access to 'sales_rep_A' of (Folder at /Bziubziak/person_module) denied.
> Your user account, sales_rep_B, exists at /Bziubziak/acl_users.
> Access requires Access_contents_information_Permission, granted to
> the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor',
> 'Author', 'Manager', 'Owner'].
> Your roles in this context are ['Authenticated', 'Member'].
>
> It seems there should be some relations to userA still set on the event
> object. Well...
> To prove that userA is no longer related in any way to that object,
> here's its Dict attached.
>
> Can entries in workflow_history have any influence on that? I think that
> no. What other relations not listed in showDict might exist that cause
> such error?
>
>
> Also there is a case where user doesn't have modify permissions on the
> object, can't even View it, but I can manually execute setter and getter
> methods on it (in test only).
> Is this a know case? Should such checks be made strictly using
> has_permission methods and not by trying to actually modify/view object?
>
> Concerned,
> Mikolaj
Sorry, wrong dict attached. This one looks much better... :)
M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.tiolive.com/pipermail/erp5-dev/attachments/20071114/404409e3/attachment.htm>
More information about the Erp5-dev
mailing list