Commit f6b4ea3c authored by Jérome Perrin's avatar Jérome Perrin

testGUIwithSecurity: cleanups and more strict test

maybe a little to strict. I don't know how we can check that fields does
not display value without checking the markup in a so low level way
parent 5e4454e0
...@@ -28,21 +28,14 @@ ...@@ -28,21 +28,14 @@
############################################################################## ##############################################################################
import unittest
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from zLOG import LOG
from Products.ERP5Type.tests.Sequence import SequenceList from Products.ERP5Type.tests.Sequence import SequenceList
from Testing import ZopeTestCase
from DateTime import DateTime
class TestGUISecurity(ERP5TypeTestCase): class TestGUISecurity(ERP5TypeTestCase):
""" """
""" """
quiet = 0
run_all_test = 1
def getBusinessTemplateList(self): def getBusinessTemplateList(self):
return ('erp5_ui_test', 'erp5_base') return ('erp5_ui_test', 'erp5_base')
...@@ -50,15 +43,6 @@ class TestGUISecurity(ERP5TypeTestCase): ...@@ -50,15 +43,6 @@ class TestGUISecurity(ERP5TypeTestCase):
def getTitle(self): def getTitle(self):
return "Security Issues in GUI" return "Security Issues in GUI"
def afterSetUp(self):
self.login()
def login(self):
uf = self.getPortal().acl_users
uf._doAddUser('seb', '', ['Manager'], [])
user = uf.getUserById('seb').__of__(uf)
newSecurityManager(None, user)
def loginAs(self, id='user'): def loginAs(self, id='user'):
uf = self.getPortal().acl_users uf = self.getPortal().acl_users
user = uf.getUser(id).__of__(uf) user = uf.getUser(id).__of__(uf)
...@@ -66,35 +50,51 @@ class TestGUISecurity(ERP5TypeTestCase): ...@@ -66,35 +50,51 @@ class TestGUISecurity(ERP5TypeTestCase):
def stepCreateObjects(self, sequence = None, sequence_list = None, **kw): def stepCreateObjects(self, sequence = None, sequence_list = None, **kw):
# Make sure that the status is clean. # Make sure that the status is clean.
portal = self.getPortal() self.portal.ListBoxZuite_reset()
portal.ListBoxZuite_reset() message = self.portal.foo_module.FooModule_createObjects()
message = portal.foo_module.FooModule_createObjects()
self.assertTrue('Created Successfully' in message) self.assertTrue('Created Successfully' in message)
if not hasattr(portal.person_module, 'user'): if not hasattr(self.portal.person_module, 'user'):
user = portal.person_module.newContent(portal_type='Person', id='user', reference='user') user = self.portal.person_module.newContent(portal_type='Person', id='user', reference='user')
user.newContent(portal_type='ERP5 Login', reference='user').validate() user.newContent(portal_type='ERP5 Login', reference='user').validate()
asg = user.newContent(portal_type='Assignment') user.newContent(portal_type='Assignment').open()
asg.setStartDate(DateTime() - 100)
asg.setStopDate(DateTime() + 100)
asg.open()
self.commit()
def stepCreateTestFoo(self, sequence = None, sequence_list = None, **kw): def stepCreateTestFoo(self, sequence = None, sequence_list = None, **kw):
foo_module = self.getPortal().foo_module foo_module = self.portal.foo_module
foo_module.newContent(portal_type='Foo', id='foo', foo_category='a') foo_module.newContent(portal_type='Foo', id='foo', foo_category='a')
# allow Member to view foo_module in a hard coded way as it is not required to setup complex # allow Member to view foo_module in a hard coded way as it is not required to setup complex
# security for this test (by default only 5A roles + Manager can view default modules) # security for this test (by default only 5A roles + Manager can view default modules)
args = (('Manager', 'Member', 'Assignor', 'Assignee', 'Auditor', 'Associate' ), 0) for permission in ('Access contents information', 'View'):
foo_module.manage_permission('Access contents information', *args) foo_module.manage_permission(
foo_module.manage_permission('View', *args) permission,
self.commit() ('Manager', 'Member', 'Assignor', 'Assignee', 'Auditor', 'Associate' ),
0)
def stepAccessFoo(self, sequence = None, sequence_list = None, **kw): def stepAccessFooDoesNotRaise(self, sequence = None, sequence_list = None, **kw):
""" """
Try to view the Foo_view form, make sure Unauthorized is not raised. Try to view the Foo_view form, make sure Unauthorized is not raised.
""" """
self.loginAs() self.loginAs()
self.getPortal().foo_module.foo.Foo_view() self.portal.foo_module.foo.Foo_view()
self.login()
def stepAccessFooDisplaysCategoryName(self, sequence = None, sequence_list = None, **kw):
"""
Try to view the Foo_view form, make sure our category name is displayed
"""
self.loginAs()
self.assertIn(
self.category_field_markup,
self.portal.foo_module.foo.Foo_view())
self.login()
def stepAccessFooDoesNotDisplayCategoryName(self, sequence = None, sequence_list = None, **kw):
"""
Try to view the Foo_view form, make sure our category name is not displayed
"""
self.loginAs()
self.assertNotIn(
self.category_field_markup,
self.portal.foo_module.foo.Foo_view())
self.login() self.login()
def stepChangeCategorySecurity(self, sequence = None, sequence_list = None, **kw): def stepChangeCategorySecurity(self, sequence = None, sequence_list = None, **kw):
...@@ -102,30 +102,23 @@ class TestGUISecurity(ERP5TypeTestCase): ...@@ -102,30 +102,23 @@ class TestGUISecurity(ERP5TypeTestCase):
here we change security of a category to which the "Foo" is related here we change security of a category to which the "Foo" is related
and which is displayed in the Foo's RelationStringField and which is displayed in the Foo's RelationStringField
""" """
category = self.getPortal().portal_categories.foo_category.a category = self.portal.portal_categories.foo_category.a
args = (('Manager',), 0) for permission in ('Access contents information', 'View'):
category.manage_permission('Access contents information', *args) category.manage_permission(permission, ('Manager',), 0 )
category.manage_permission('View', *args)
self.tic()
def stepResetCategorySecurity(self, sequence = None, sequence_list = None, **kw): def stepResetCategorySecurity(self, sequence = None, sequence_list = None, **kw):
""" """
reset it back reset it back
""" """
category = self.getPortal().portal_categories.foo_category.a category = self.portal.portal_categories.foo_category.a
args = ((), 1) for permission in ('Access contents information', 'View'):
category.manage_permission('Access contents information', *args) category.manage_permission(permission, ('Manager',), 1)
category.manage_permission('View', *args)
self.tic()
def test_01_relationFieldToInaccessibleObject(self, quiet=quiet, run=run_all_test): def test_01_relationFieldToInaccessibleObject(self):
""" """
This test checks if a form can be viewed when it contains a RelationStringField which This test checks if a form can be viewed when it contains a RelationStringField which
links to an object the user is not authorized to view. links to an object the user is not authorized to view.
This fails for now. A proposed patch solving this problem is here:
http://svn.erp5.org/experimental/FSPatch/Products/ERP5Form/ERP5Form_safeRelationField.diff?view=markup
This problem can happen for example in the following situation: This problem can happen for example in the following situation:
- a user is a member of a project P team, so he can view P - a user is a member of a project P team, so he can view P
- the user creates a project-related document and leaves it in "draft" state - the user creates a project-related document and leaves it in "draft" state
...@@ -133,29 +126,24 @@ class TestGUISecurity(ERP5TypeTestCase): ...@@ -133,29 +126,24 @@ class TestGUISecurity(ERP5TypeTestCase):
Then the user can not view the project, but still can view his document as he is the owner. Then the user can not view the project, but still can view his document as he is the owner.
An attempt to view the document form would raise Unauthorized. An attempt to view the document form would raise Unauthorized.
""" """
self.login() # this really depends on the generated markup
if not run: return self.category_field_markup = '<input name="field_my_foo_category_title" value="a" type="text"'
if not quiet:
message = 'test_01_relationFieldToInaccessibleObject'
ZopeTestCase._print('\n%s ' % message)
LOG('Testing... ', 0, message)
sequence_list = SequenceList() sequence_list = SequenceList()
sequence_string = '\ sequence_string = '\
CreateObjects \ CreateObjects \
CreateTestFoo \ CreateTestFoo \
Tic \ Tic \
AccessFoo \ AccessFooDoesNotRaise \
AccessFooDisplaysCategoryName \
ChangeCategorySecurity \ ChangeCategorySecurity \
AccessFoo \ Tic \
AccessFooDoesNotRaise \
AccessFooDoesNotDisplayCategoryName \
ResetCategorySecurity \ ResetCategorySecurity \
AccessFoo \ Tic \
AccessFooDoesNotRaise \
' '
sequence_list.addSequenceString(sequence_string) sequence_list.addSequenceString(sequence_string)
sequence_list.play(self, quiet=quiet) sequence_list.play(self)
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestGUISecurity))
return suite
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment