Back to index

plone3  3.1.7
test_security.py
Go to the documentation of this file.
00001 
00002 import textwrap
00003 from AccessControl import Unauthorized
00004 
00005 from Products.CMFCore.utils import getToolByName
00006 from Products.Archetypes.tests.atsitetestcase import ATSiteTestCase
00007 from Products.Archetypes.tests.utils import makeContent
00008 
00009 from Products.Archetypes.Storage import AttributeStorage
00010 from Products.Archetypes.examples.SimpleType import TestView, TestWrite
00011 
00012 class AttributeProtectionTest(ATSiteTestCase):
00013 
00014     _type = 'SimpleProtectedType'
00015 
00016     def afterSetUp(self):
00017         ATSiteTestCase.afterSetUp(self)
00018         self.setRoles(['Manager'])
00019         self.portal.invokeFactory('Folder', 'test_folder_')
00020         self.folder = self.portal.test_folder_
00021         t = self._type
00022         self.portal.portal_workflow.setChainForPortalTypes((t,), ('plone_workflow',))
00023         self.inst = inst = makeContent(self.folder, portal_type=t, id=t)
00024         self.object_id = t
00025         self.attrs = [f.getName() for f in inst.Schema().fields()
00026                       if isinstance(f.getStorage(), AttributeStorage)]
00027 
00028         self.check_attrs = """\
00029         content = getattr(context, '%(object_id)s')
00030         for attr in %(attrs)s:
00031             print getattr(content, attr, None)
00032         """ % {'object_id': self.object_id,
00033                'attrs': self.attrs}
00034 
00035         self.check_methods = """\
00036         content = getattr(context, '%(object_id)s')
00037         for meth in %(methods)s:
00038             print getattr(content, meth)()
00039         """ % {'object_id': self.object_id,
00040                'methods': ['foo']}
00041         self.logout()
00042 
00043     def addPS(self, id, params='', body=''):
00044         factory = self.folder.manage_addProduct['PythonScripts']
00045         factory.manage_addPythonScript(id)
00046         body = textwrap.dedent(body)
00047         self.folder[id].ZPythonScript_edit(params, body)
00048 
00049     def check(self, psbody):
00050         self.addPS('ps', body=psbody)
00051         try:
00052             self.folder.ps()
00053         except (ImportError, Unauthorized), e:
00054             self.fail(e)
00055 
00056     def checkUnauthorized(self, psbody):
00057         self.addPS('ps', body=psbody)
00058         try:
00059             self.folder.ps()
00060         except (AttributeError, ImportError, Unauthorized), e:
00061             pass
00062         else:
00063             raise AssertionError, 'Unauthorized not raised'
00064 
00065     def test_attribute_access_has_perm(self):
00066         self.check(self.check_attrs)
00067 
00068     def test_attribute_access_no_perm(self):
00069         self.setRoles(['Manager'])
00070         p = self.inst
00071         p.manage_permission(TestView, roles=['Manager'], acquire=0)
00072         self.setRoles([])
00073         self.checkUnauthorized(self.check_attrs)
00074 
00075     def test_method_access_has_perm(self):
00076         self.check(self.check_methods)
00077 
00078     def DISABLEDtest_method_access_no_perm(self):
00079         # XXX Fails in my Zope from Zope-2_7-branch, but works with
00080         # Zope from trunk.
00081         self.setRoles(['Manager'])
00082         p = self.inst
00083         p.manage_permission(TestView, roles=['Manager'], acquire=0)
00084         self.setRoles([])
00085         self.logout()
00086         self.checkUnauthorized(self.check_methods)
00087 
00088     def test_field_write_no_perm(self):
00089         # Check that if the user doesn't have the
00090         # field.write_permission then the value will not be updated in
00091         # edit() or update().
00092         self.setRoles(['Manager'])
00093         p = self.inst
00094         p.manage_permission(TestWrite, roles=['Manager'], acquire=0)
00095         self.setRoles([])
00096 
00097         title = p.Title()
00098         p.update(title='Bla')
00099         self.failUnlessEqual(title, p.Title())
00100 
00101         title = p.Title()
00102         p.edit(title='Bla')
00103         self.failUnlessEqual(title, p.Title())
00104 
00105         title = p.Title()
00106         p.processForm(data=True, values={'title':'Bla'})
00107         self.failUnlessEqual(title, p.Title())
00108 
00109     def test_field_write_has_perm(self):
00110         # Check that if the user does have the field.write_permission
00111         # then the value will be updated in edit() or update().
00112         p = self.inst
00113         p.update(title='Bla1')
00114         self.failUnlessEqual(p.Title(), 'Bla1')
00115 
00116         title = p.Title()
00117         p.edit(title='Bla2')
00118         self.failUnlessEqual(p.Title(), 'Bla2')
00119 
00120         title = p.Title()
00121         p.processForm(data=True, values={'title':'Bla3'})
00122         self.failUnlessEqual(p.Title(), 'Bla3')
00123 
00124     def test_import_IndexIterator(self):
00125         self.check('from Products.Archetypes import IndexIterator')
00126 
00127     def test_use_IndexIterator(self):
00128         self.check('from Products.Archetypes import IndexIterator;'
00129                    'print IndexIterator().next()')
00130 
00131     def test_import_transaction_note(self):
00132         self.check('from Products.Archetypes import transaction_note')
00133 
00134     def test_use_transaction_note(self):
00135         self.check('from Products.Archetypes import transaction_note;'
00136                    'print transaction_note("foo")')
00137 
00138     def test_import_DisplayList(self):
00139         self.check('from Products.Archetypes import DisplayList')
00140 
00141     def test_use_DisplayList(self):
00142         self.check('from Products.Archetypes import DisplayList;'
00143                    'print DisplayList((("foo", "bar"),)).keys()')
00144 
00145     def test_at_post_scripts_unauthorized(self):
00146         # at_post_create_script and at_post_edit_script should not
00147         # be accessible to TTW code at all.
00148         self.setRoles(['Manager'])
00149         test = """\
00150         content = getattr(context, '%(object_id)s')
00151         content.at_post_create_script()
00152         content.at_post_edit_script()
00153         """ % {'object_id': self.object_id}
00154         self.checkUnauthorized(test)
00155 
00156 def test_suite():
00157     import unittest
00158     suite = unittest.TestSuite()
00159     tests = []
00160     tests.append(AttributeProtectionTest)
00161     for klass in tests:
00162         suite.addTest(unittest.makeSuite(klass))
00163     return suite