Commit c3d34144 authored by Nicolas Delaby's avatar Nicolas Delaby

Test Security on Temp objects for connected and anonymous users

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@44631 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 8ccd5d04
No related merge requests found
......@@ -37,8 +37,10 @@ from Testing import ZopeTestCase
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase,\
_getConversionServerDict
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl import getSecurityManager
from Products.ERP5Type.tests.Sequence import SequenceList
from Products.ERP5Type.Base import Base
from Products.ERP5Type.Utils import convertToUpperCase
from zExceptions import BadRequest
from Products.ERP5Type.tests.backportUnittest import skip
from Products.ERP5Type.Workflow import addWorkflowByType
......@@ -1015,7 +1017,6 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
for permission in permission_list:
manager_has_no_permission[permission] = ()
from AccessControl import getSecurityManager
user = getSecurityManager().getUser()
try:
self.assertTrue(permission_list)
......@@ -1192,15 +1193,48 @@ class TestBase(ERP5TypeTestCase, ZopeTestCase.Functional):
self.assertEquals(1, len(self.getPortal().portal_catalog(
translated_portal_type='Person', title='translate_table_test')))
def test_TempBasePublicMethods(self):
# make sure TempBase methods 'edit' and 'setProperty' are actually public
def test_TemporaryObjectPublicMethodListForAnonymous(self):
"""make sure temporary object methods are actually public.
Thanks to owner role, even for Anonymous users
"""
self.logout()
from Products.ERP5Type.Document import newTempBase
from OFS.Traversable import guarded_getattr
tb = newTempBase(self.portal, '_temp_base')
for name in ('edit', 'setProperty'):
organisation = self.portal.organisation_module.newContent(
portal_type='Organisation',
temp_object=True)
user = getSecurityManager().getUser()
self.assertTrue('Owner' in user.getRolesInContext(organisation))
from AccessControl.ZopeGuards import guarded_getattr
property_map_dict = organisation.propertyMap()
property_id_list = ('edit', 'setProperty', 'getProperty') + \
tuple(['get' + convertToUpperCase(property_map['id'])\
for property_map in property_map_dict])
for property_id in property_id_list:
# should not raise Unauthorized
guarded_getattr(organisation, property_id)
def test_TemporaryObjectPublicMethodList(self):
"""make sure temporary object methods are actually public.
Thanks to owner role.
"""
uf = self.getPortal().acl_users
uf._doAddUser('BOBBY', '', ['Member',], [])
user = uf.getUserById('BOBBY').__of__(uf)
newSecurityManager(None, user)
organisation = self.portal.organisation_module.newContent(
portal_type='Organisation',
temp_object=True)
user = getSecurityManager().getUser()
self.assertTrue('Owner' in user.getRolesInContext(organisation))
from AccessControl.ZopeGuards import guarded_getattr
property_map_dict = organisation.propertyMap()
property_id_list = ('edit', 'setProperty', 'getProperty') + \
tuple(['get' + convertToUpperCase(property_map['id'])\
for property_map in property_map_dict])
for property_id in property_id_list:
# should not raise Unauthorized
edit = guarded_getattr(tb, name)
guarded_getattr(organisation, property_id)
@skip("isIndexable is not designed to work like tested here, this test \
must be rewritten once we know how to handle correctly templates")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment