Commit 5f7ee128 authored by Ivan Tyagov's avatar Ivan Tyagov

Make it possible to show a login form to user in case user can't find a...

Make it possible to show a login form to user in case user can't find a document by its reference in URL traversal.
Introduce a new property of Web Section for that purpose.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@21026 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 4d5d236c
...@@ -308,6 +308,17 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn): ...@@ -308,6 +308,17 @@ class PermanentURLMixIn(ExtensibleTraversableMixIn):
original_id=document.getId(), original_id=document.getId(),
editable_absolute_url=document.absolute_url())) editable_absolute_url=document.absolute_url()))
return document.__of__(self) return document.__of__(self)
# no document found for current user, still such document may exists
# in some cases user (like Anonymous) can not view document according to portal catalog
# but we may ask him to login if such a document exists
# XXX: make sure document exists
if getattr(self, 'isAuthorizationForced', None) is not None:
if self.isAuthorizationForced():
# force user to login as specified in Web Section
raise Unauthorized
else:
# force user to login unconditionally of context
raise Unauthorized
security.declareProtected(Permissions.View, 'getDocumentValue') security.declareProtected(Permissions.View, 'getDocumentValue')
def getDocumentValue(self, name=None, portal=None, **kw): def getDocumentValue(self, name=None, portal=None, **kw):
......
...@@ -74,6 +74,11 @@ class WebSection: ...@@ -74,6 +74,11 @@ class WebSection:
'acquisition_accessor_id' : 'getLayoutConfigurationFormId', 'acquisition_accessor_id' : 'getLayoutConfigurationFormId',
'acquisition_depends' : None, 'acquisition_depends' : None,
'mode' : '' }, 'mode' : '' },
{ 'id' : 'authorization_forced',
'description' : 'Force authorization for anonymous user if document can not be found.',
'type' : 'boolean',
'default': 0,
'mode' : 'rw' },
) )
_categories = ('aggregate', ) _categories = ('aggregate', )
......
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
import os import os
import unittest import unittest
from AccessControl import Unauthorized
from AccessControl.SecurityManagement import newSecurityManager from AccessControl.SecurityManagement import newSecurityManager
from Testing import ZopeTestCase from Testing import ZopeTestCase
from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
...@@ -314,6 +315,54 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -314,6 +315,54 @@ class TestERP5Web(ERP5TypeTestCase, ZopeTestCase.Functional):
self.assertEquals('0.2', default_document.getVersion()) self.assertEquals('0.2', default_document.getVersion())
self.assertEquals('published', default_document.getValidationState()) self.assertEquals('published', default_document.getValidationState())
def test_06_WebSectionAuthorizationForced(self, quiet=quiet, run=run_all_test):
""" Check that when a document is requested within a Web Section we have a chance to
require user to login.
Whether or not an user will login is controlled by a property on Web Section (authorization_forced).
"""
if not run:
return
if not quiet:
message = '\ntest_06_WebSectionAuthorizationForced'
ZopeTestCase._print(message)
request = self.app.REQUEST
website = self.setupWebSite()
websection = self.setupWebSection()
webpage_list = self.setupWebSitePages(prefix = 'test-web-page')
webpage = webpage_list[0]
document_reference = 'default-document-reference'
document = self.portal.web_page_module.newContent(
portal_type = 'Web Page',
reference = document_reference)
website.setAuthorizationForced(0)
websection.setAuthorizationForced(0)
get_transaction().commit()
self.tic()
# make sure that _getExtensibleContent will return the same document
# there's not other way to test otherwise URL traversal
self.assertEqual(document.getUid(),
websection._getExtensibleContent(request, document_reference).getUid())
# Anonymous User should have in the request header for not found when
# viewing non available document in Web Section (with no authorization_forced)
self.logout()
self.assertEqual(None, websection._getExtensibleContent(request, document_reference))
self.assertEqual('404 Not Found', request.RESPONSE.getHeader('status'))
# Anonymous user should be prompted to login when viewing non available document
# contained in a Web Page (like ..web_page_module/1/<document_reference>)
self.assertRaises(Unauthorized, webpage._getExtensibleContent, request, document_reference)
# set authorization_forced flag
self.login()
websection.setAuthorizationForced(1)
# check Unauthorized exception is raised for anonymous
# this exception is usually caught and user is redirecetd to login form
self.logout()
self.assertRaises(Unauthorized, websection._getExtensibleContent, request, document_reference)
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(TestERP5Web)) suite.addTest(unittest.makeSuite(TestERP5Web))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment