Commit 354c8350 authored by Ivan Tyagov's avatar Ivan Tyagov

If user (usually Anonymous User) can't acccess default document for a Web Section allow

(based on is_authorization_forced property of Web Section) a login form to be prompted or not to him.
Extend tests to cover this new feature.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21699 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent f59d03e2
...@@ -34,7 +34,8 @@ from Products.ERP5.Document.Domain import Domain ...@@ -34,7 +34,8 @@ from Products.ERP5.Document.Domain import Domain
from Products.ERP5.Document.Document import PermanentURLMixIn from Products.ERP5.Document.Document import PermanentURLMixIn
from Acquisition import ImplicitAcquisitionWrapper, aq_base, aq_inner from Acquisition import ImplicitAcquisitionWrapper, aq_base, aq_inner
from Products.ERP5Type.Base import TempBase from Products.ERP5Type.Base import TempBase
from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
from AccessControl import Unauthorized
from zLOG import LOG, WARNING from zLOG import LOG, WARNING
import sys import sys
...@@ -176,6 +177,16 @@ class WebSection(Domain, PermanentURLMixIn): ...@@ -176,6 +177,16 @@ class WebSection(Domain, PermanentURLMixIn):
return getattr(self, custom_render_method_id)() return getattr(self, custom_render_method_id)()
# The following could be moved to a typed based method for more flexibility # The following could be moved to a typed based method for more flexibility
document = self.getDefaultDocumentValue() document = self.getDefaultDocumentValue()
if document is None:
# no document found for current user, still such document may exists
# in some cases user (like Anonymous) can not view document according to portal catalog
# but we may ask him to login if such a document exists
isAuthorizationForced = getattr(self, 'isAuthorizationForced', None)
if isAuthorizationForced is not None and isAuthorizationForced():
getDefaultDocumentValue = UnrestrictedMethod(self.getDefaultDocumentValue)
if getDefaultDocumentValue() is not None:
# force user to login as specified in Web Section
raise Unauthorized
if document is not None: if document is not None:
self.REQUEST.set('current_web_document', document.__of__(self)) # Used to be document self.REQUEST.set('current_web_document', document.__of__(self)) # Used to be document
self.REQUEST.set('is_web_section_default_document', 1) self.REQUEST.set('is_web_section_default_document', 1)
......
...@@ -484,6 +484,52 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -484,6 +484,52 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional):
self.tic() self.tic()
self.assertEqual(web_page_en, websection.getDefaultDocumentValue()) self.assertEqual(web_page_en, websection.getDefaultDocumentValue())
def test_10_WebSectionAuthorizationForcedForDefaultDocument(self, quiet=quiet, run=run_all_test):
""" Check that when a Web Section contains a default document not accessible by user we have a chance to
require user to login.
Whether or not an user will login is controlled by a property on Web Section (authorization_forced).
"""
if not run: return
if not quiet:
message = '\ntest_10_WebSectionAuthorizationForcedForDefaultDocument'
ZopeTestCase._print(message)
request = self.app.REQUEST
website = self.setupWebSite()
websection = self.setupWebSection()
web_page_reference = 'default-document-reference'
web_page_en = self.portal.web_page_module.newContent(
portal_type = 'Web Page',
language = 'en',
reference = web_page_reference)
# this way it's not viewable by anonymous and we can test
web_page_en.releaseAlive()
websection.setAggregateValue(web_page_en)
websection.setAuthorizationForced(1)
get_transaction().commit()
self.tic()
# make sure that getDefaultDocumentValue() will return the same document for logged in user
# if default document is accessible
self.assertEqual(web_page_en.getUid(),
websection.getDefaultDocumentValue().getUid())
# check Unauthorized exception is raised for anonymous when authorization_forced is set
self.logout()
self.assertEqual(None, websection.getDefaultDocumentValue())
self.assertRaises(Unauthorized, websection)
# Anonymous User should not get Unauthorized when authorization_forced is not set
self.login()
websection.setAuthorizationForced(0)
get_transaction().commit()
self.tic()
self.logout()
self.assertEqual(None, websection.getDefaultDocumentValue())
try:
websection()
except Unauthorized:
self.fail("Web Section should not prompt user for login.")
class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase): class TestERP5WebWithSimpleSecurity(ERP5TypeTestCase):
""" """
Test for erp5_web with simple security. Test for erp5_web with simple security.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment