Commit e4375123 authored by Jérome Perrin's avatar Jérome Perrin

testPerson: Only check that set password security is enforced from restricted python

EncryptedPasswordMixin.setPassword is public and does its own security
checks, this is since 7d0882ef (setPassword have to do explicit
security checks…, 2007-11-12), but a few months after this, we teached
edit to check security - in d1312cdb (make edit check the security
remove all useless security declaration on private method, 2008-05-23).

In the end what really matters is that end users can not change passwords
through the user interface when editing logins documents.
parent 9371393b
......@@ -32,6 +32,7 @@ import mock
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import Unauthorized
from AccessControl.ZopeGuards import guarded_getattr
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
from Products.ERP5Type import Permissions
......@@ -241,8 +242,10 @@ class TestPerson(ERP5TypeTestCase):
def testSetPasswordSecurity(self):
p = self._makeOne(id='person')
p.manage_permission(Permissions.SetOwnPassword, [], 0)
self.assertRaises(Unauthorized, p.setPassword, 'secret')
self.assertRaises(Unauthorized, p.edit, password='secret')
with self.assertRaises(Unauthorized):
guarded_getattr(p, 'setPassword')('secret')
with self.assertRaises(Unauthorized):
guarded_getattr(p, 'edit')(password='secret')
# setPassword(None) has no effect, because in the user interface we always
# show an empty field for password. Note that it also does not require any
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment