Commit 9860acfa authored by Łukasz Nowak's avatar Łukasz Nowak

- test that in scenario where user is not allowed to see original document,...

 - test that in scenario where user is not allowed to see original document, he is still able to convert document to different format

Add test level Document_checkConversionFormatPermission which disallow access
to original document format, and remove it conditionally in beforeTearDown.

Add helper method _test_document_conversion_to_base_format_no_original_format_access.
It asserts that document is not available in original format and then checks
if it is possible to convert this document.

Test for PDF, Open Office Document, Text and Image to cover all known cases.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@35957 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 5920200d
......@@ -64,6 +64,7 @@ from AccessControl import getSecurityManager
from zLOG import LOG
from Products.ERP5.Document.Document import NotConvertedError
from Products.ERP5Form.Document.Preference import Priority
from Products.ERP5Type.tests.utils import createZODBPythonScript
import os
from threading import Thread
import httplib
......@@ -156,6 +157,7 @@ class TestDocumentMixin(ERP5TypeTestCase):
- clear document module
"""
transaction.abort()
self.clearRestrictedSecurityHelperScript()
activity_tool = self.portal.portal_activities
activity_status = set(m.processing_node < -1
for m in activity_tool.getMessageList())
......@@ -165,6 +167,13 @@ class TestDocumentMixin(ERP5TypeTestCase):
assert not activity_status
self.clearDocumentModule()
def clearRestrictedSecurityHelperScript(self):
script_id = 'Document_checkConversionFormatPermission'
custom = self.getPortal().portal_skins.custom
if script_id in custom.objectIds():
custom.manage_delObjects(ids=[script_id])
transaction.commit()
def clearDocumentModule(self):
"""
Remove everything after each run
......@@ -1717,6 +1726,61 @@ style=3D'color:black'>05D65812<o:p></o:p></span></p>
from AccessControl import Unauthorized
self.assertRaises(Unauthorized, document.asText)
def createRestrictedSecurityHelperScript(self):
createZODBPythonScript(self.getPortal().portal_skins.custom,
'Document_checkConversionFormatPermission', 'format=None, **kw', """
if not format:
return 0
return 1
""")
transaction.commit()
def _test_document_conversion_to_base_format_no_original_format_access(self,
portal_type, file_name):
module = self.portal.getDefaultModule(portal_type)
upload_file = makeFileUpload(file_name)
document = module.newContent(portal_type=portal_type,
file=upload_file)
transaction.commit()
self.tic()
self.createRestrictedSecurityHelperScript()
from AccessControl import Unauthorized
# check that it is not possible to access document in original format
self.assertRaises(Unauthorized, document.convert, format=None)
# check that it is possible to convert document to text format
dummy = document.convert(format='text')
def test_WebPage_conversion_to_base_format_no_original_format_access(self):
"""Checks Document.TextDocument"""
self._test_document_conversion_to_base_format_no_original_format_access(
'Web Page',
'TEST-text-iso8859-1.txt'
)
def test_PDF_conversion_to_base_format_no_original_format_access(self):
"""Checks Document.PDFDocument"""
self._test_document_conversion_to_base_format_no_original_format_access(
'PDF',
'TEST-en-002.pdf'
)
def test_Text_conversion_to_base_format_no_original_format_access(self):
"""Checks Document.OOoDocument"""
self._test_document_conversion_to_base_format_no_original_format_access(
'Text',
'TEST-en-002.odt'
)
def test_Image_conversion_to_base_format_no_original_format_access(self):
"""Checks Document.Image"""
self._test_document_conversion_to_base_format_no_original_format_access(
'Image',
'TEST-en-002.png'
)
class TestDocumentWithSecurity(TestDocumentMixin):
username = 'yusei'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment