Back to index

plone3  3.1.7
testCSRFProtection.py
Go to the documentation of this file.
00001 from unittest import TestSuite, makeSuite
00002 from Products.PloneTestCase import PloneTestCase as ptc
00003 
00004 from zope.component import queryUtility
00005 from StringIO import StringIO
00006 
00007 from plone.keyring.interfaces import IKeyManager
00008 from plone.protect.authenticator import AuthenticatorView
00009 
00010 
00011 class AuthenticatorTestCase(ptc.FunctionalTestCase):
00012 
00013     def afterSetUp(self):
00014         self.setRoles(('Manager',))
00015 
00016     def test_KeyManager(self):
00017         self.failUnless(queryUtility(IKeyManager), 'key manager not found')
00018 
00019     def checkAuthenticator(self, path, query='', status=200):
00020         credentials = '%s:%s' % (ptc.default_user, ptc.default_password)
00021         path = '/' + self.portal.absolute_url(relative=True) + path
00022         data = StringIO(query)
00023         # without authenticator...
00024         response = self.publish(path=path, basic=credentials, env={},
00025                                 request_method='POST', stdin=data)
00026         self.assertEqual(response.getStatus(), 403)
00027         # with authenticator...
00028         tag = AuthenticatorView('context', 'request').authenticator()
00029         token = tag.split('"')[5]
00030         data = StringIO(query + '&_authenticator=%s' % token)
00031         response = self.publish(path=path, basic=credentials, env={},
00032                                 request_method='POST', stdin=data)
00033         self.assertEqual(response.getStatus(), status)
00034 
00035     def test_PloneTool_setMemberProperties(self):
00036         member = self.portal.portal_membership.getMemberById
00037         email = 'john@spamfactory.com'
00038         self.assertNotEqual(member(ptc.default_user).getProperty('email'), email)
00039         self.checkAuthenticator('/prefs_user_edit',
00040             'userid=%s&email=%s' % (ptc.default_user, email))
00041         self.assertEqual(member(ptc.default_user).getProperty('email'), email)
00042 
00043     def test_PloneTool_changeOwnershipOf(self):
00044         self.assertNotEqual(self.portal.getOwner().getUserName(), ptc.default_user)
00045         self.checkAuthenticator('/change_ownership',
00046             'userid=%s' % ptc.default_user, status=302)
00047         self.assertEqual(self.portal.getOwner().getUserName(), ptc.default_user)
00048 
00049     def test_PloneTool_acquireLocalRoles(self):
00050         self.checkAuthenticator('/folder_localrole_set',
00051             'use_acquisition:int=1', status=302)
00052 
00053     def test_PloneTool_deleteObjectsByPaths(self):
00054         self.failUnless(self.portal.get('news', None))
00055         self.checkAuthenticator('/plone_utils/deleteObjectsByPaths',
00056             'paths:list=news')
00057         self.failIf(self.portal.get('news', None))
00058 
00059     def test_PloneTool_transitionObjectsByPaths(self):
00060         infoFor = self.portal.portal_workflow.getInfoFor
00061         frontpage = self.portal['front-page']
00062         self.assertEqual(infoFor(frontpage, 'review_state'), 'visible')
00063         self.checkAuthenticator('/plone_utils/transitionObjectsByPaths',
00064             'workflow_action=publish&paths:list=front-page', status=302)
00065         self.assertEqual(infoFor(frontpage, 'review_state'), 'published')
00066 
00067     def test_PloneTool_renameObjectsByPaths(self):
00068         self.portal.portal_types['Large Plone Folder'].global_allow = True
00069         self.failIf(self.portal.get('foo', None))
00070         self.checkAuthenticator('/plone_utils/renameObjectsByPaths',
00071             'paths:list=events&new_ids:list=foo&new_titles:list=Foo')
00072         self.failUnless(self.portal.get('foo', None))
00073 
00074     def test_plone_session_manage_clearSecrets(self):
00075         self.checkAuthenticator('/acl_users/session/manage_clearSecrets',
00076             status=302)
00077 
00078     def test_plone_session_manage_createNewSecret(self):
00079         self.checkAuthenticator('/acl_users/session/manage_createNewSecret',
00080             status=302)
00081 
00082     def test_RegistrationTool_addMember(self):
00083         self.checkAuthenticator('/portal_registration/addMember',
00084             'id=john&password=y0d4Wg')
00085 
00086     def test_RegistrationTool_editMember(self):
00087         self.checkAuthenticator('/portal_registration/editMember',
00088             'member_id=%s&password=y0d4Wg&properties.foo:record=' %
00089             ptc.default_user)
00090 
00091     def test_MembershipTool_setPassword(self):
00092         self.checkAuthenticator('/portal_membership/setPassword',
00093             'password=y0d4Wg')
00094 
00095     def test_MembershipTool_deleteMemberArea(self):
00096         self.checkAuthenticator('/portal_membership/deleteMemberArea',
00097             'member_id=%s' % ptc.default_user)
00098 
00099     def test_MembershipTool_setLocalRoles(self):
00100         self.checkAuthenticator('/folder_localrole_add',
00101             'member_ids:list=%s&member_roles:list=Manager' % ptc.default_user,
00102             status=302)
00103 
00104     def test_MembershipTool_deleteLocalRoles(self):
00105         self.checkAuthenticator('/folder_localrole_delete',
00106             'member_ids:list=%s' % ptc.default_user, status=302)
00107 
00108     def test_MembershipTool_deleteMembers(self):
00109         self.checkAuthenticator('/portal_membership/deleteMembers',
00110             'member_ids:list=%s' % ptc.default_user)
00111 
00112     def test_GroupData_addMember(self):
00113         member = self.portal.portal_membership.getMemberById
00114         self.failIf('Administrators' in member(ptc.default_user).getGroups())
00115         self.checkAuthenticator('/prefs_user_membership_edit',
00116             'userid=%s&add:list=Administrators' % ptc.default_user, status=302)
00117         self.failUnless('Administrators' in member(ptc.default_user).getGroups())
00118 
00119     def test_GroupData_removeMember(self):
00120         group = self.portal.portal_groups.getGroupById('Reviewers')
00121         group.addMember(ptc.default_user)
00122         member = self.portal.portal_membership.getMemberById
00123         self.failUnless('Reviewers' in member(ptc.default_user).getGroups())
00124         self.checkAuthenticator('/prefs_user_membership_edit',
00125             'userid=%s&delete:list=Reviewers' % ptc.default_user, status=302)
00126         self.failIf('Reviewers' in member(ptc.default_user).getGroups())
00127 
00128     def test_userFolderAddUser(self):
00129         self.checkAuthenticator('/acl_users/userFolderAddUser',
00130             'login=foo&password=bar&domains=&roles:list=Manager')
00131 
00132     def test_userFolderEditUser(self):
00133         self.checkAuthenticator('/acl_users/userFolderEditUser',
00134             'principal_id=%s&password=bar&domains=&roles:list=Manager' %
00135             ptc.default_user)
00136 
00137     def test_userFolderDelUsers(self):
00138         self.checkAuthenticator('/acl_users/userFolderDelUsers',
00139             'names:list=%s' % ptc.default_user)
00140 
00141 
00142 def test_suite():
00143     return TestSuite([
00144         makeSuite(AuthenticatorTestCase),
00145     ])
00146