Commit cccd2234 authored by Aurel's avatar Aurel

do not check security when creating temp object

add unit test for this


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11130 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent b2c90c0a
......@@ -200,9 +200,13 @@ class ERP5TypeInformation( FactoryTypeInformation,
Call the init_script for the portal_type.
Returns the object.
"""
# This is part is copied from CMFCore/TypesTool
ob = FactoryTypeInformation.constructInstance(
self, container, id, *args, **kw)
# This is part is copied from CMFCore/TypesTool/constructInstance
# In case of temp object, we don't want to check security
if not (hasattr(container, 'isTempObject') and container.isTempObject())\
and not self.isConstructionAllowed(container):
raise AccessControl_Unauthorized('Cannot create %s' % self.getId())
ob = self._constructInstance(container, id, *args, **kw)
ob = self._finishConstruction(ob)
# Only try to assign roles to security groups if some roles are defined
# This is an optimisation to prevent defining local roles on subobjects
......
......@@ -18,6 +18,7 @@ from Products.ERP5Type.Cache import CachingMethod, clearCache
from Products.ERP5Type.Base import _aq_reset
from Products.ERP5Type.tests.utils import installRealClassTool
from Products.ERP5Type.Utils import removeLocalPropertySheet
from AccessControl.SecurityManagement import newSecurityManager
class PropertySheetTestCase(ERP5TypeTestCase):
"""Base test case class for property sheets tests.
......@@ -116,6 +117,12 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
module.manage_delObjects(list(module.objectIds()))
get_transaction().commit()
def loginWithNoRole(self, quiet=0, run=run_all_test):
uf = self.getPortal().acl_users
uf._doAddUser('ac', '', [], [])
user = uf.getUserById('ac').__of__(uf)
newSecurityManager(None, user)
def getRandomString(self):
return str(randint(-10000000,100000000))
......@@ -241,6 +248,15 @@ class TestERP5Type(PropertySheetTestCase, LogInterceptor):
self.assertEquals(b.isTempObject(), 1)
self.assertEquals(b.getId(), str(2))
# check we can create temp object without specific roles/permissions
self.logout()
self.loginWithNoRole()
o = newTempOrganisation(portal,'b')
self.assertEquals(o.isTempObject(), 1)
a = o.newContent(portal_type = 'Telephone')
self.assertEquals(a.isTempObject(), 1)
self.logout()
self.login()
def test_04_CategoryAccessors(self, quiet=quiet, run=run_all_test):
"""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment