Merge pull request #24 from plone/allowed-types

check parent for allowed types

src/plone.server/CHANGELOG.rst

@@ -1,7 +1,8 @@
 1.0a7 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Correctly check parent object for allowed addable types
+  [vangheem]
 
 
 1.0a6 (2016-11-21)

src/plone.server/plone/server/content.py

@@ -179,9 +179,13 @@ def createContentInContainer(container, type_, id_, request=None, **kw):
                 not request.security.checkPermission(permission.id, container):
             raise NoPermissionToAdd(str(container), type_)
 
-    if factory.allowed_types is not None and \
-            type_ not in factory.allowed_types:
-        raise NotAllowedContentType(str(container), type_)
+    # allowed types is defined on the parent object
+    parent_pt = getattr(container, 'portal_type', None)
+    if parent_pt:
+        parent_factory = getCachedFactory(parent_pt)
+        if parent_factory.allowed_types is not None and \
+                type_ not in parent_factory.allowed_types:
+            raise NotAllowedContentType(str(container), type_)
     obj = factory()
     obj.__name__ = id_
     obj.__parent__ = container

src/plone.server/plone/server/testing.py

@@ -6,6 +6,12 @@
 from plone.server.factory import make_app
 from zope.component import getUtility
 from zope.configuration.xmlconfig import include
+from zope.component import getGlobalSiteManager
+from zope.security.interfaces import IInteraction
+from plone.server.api.layer import IDefaultLayer
+from plone.server.interfaces import IRequest
+from zope.interface import implementer
+from plone.server.auth.participation import RootParticipation
 
 import asyncio
 import json
@@ -240,16 +246,35 @@ def new_root(cls):
         return conn.root()
 
 
-class PloneServerBaseTestCase(unittest.TestCase):
+@implementer(IRequest, IDefaultLayer)
+class FakeRequest(object):
+
+    def __init__(self):
+        self.site_components = getGlobalSiteManager()
+        self.security = IInteraction(self)
+
+
+class PloneBaseTestCase(unittest.TestCase):
+
+    def setUp(self):
+        self.request = FakeRequest()
+
+    def login(self):
+        self.request.security.add(RootParticipation(self.request))
+        self.request.security.invalidate_cache()
+        self.request._cache_groups = {}
+
+
+class PloneServerBaseTestCase(PloneBaseTestCase):
     """ Only the app created """
     layer = PloneServerBaseLayer
 
 
-class PloneQueueServerTestCase(unittest.TestCase):
+class PloneQueueServerTestCase(PloneBaseTestCase):
     """ Adding the Queue utility """
     layer = PloneQueueLayer
 
 
-class PloneFunctionalTestCase(unittest.TestCase):
+class PloneFunctionalTestCase(PloneBaseTestCase):
     """ With Site and Requester utility """
     layer = PloneBaseLayer

src/plone.server/plone/server/tests/test_content.py

@@ -0,0 +1,33 @@
+from plone.server.content import createContent
+from plone.server.content import createContentInContainer
+from plone.server.content import Folder
+from plone.server.content import NotAllowedContentType
+from plone.server.metaconfigure import contenttypeDirective
+from plone.server.testing import PloneServerBaseTestCase
+
+
+class TestContent(PloneServerBaseTestCase):
+
+    def test_allowed_types(self):
+        self.login()
+        db = self.layer.app['plone']
+        site = createContent(
+            'Site',
+            id='plone',
+            title='Plone')
+        site.__name__ = 'plone'
+        db['plone'] = site
+
+        contenttypeDirective(
+            self.layer.app.app.config,
+            'TestType',
+            Folder,
+            None,
+            behaviors=None,
+            add_permission=None,
+            allowed_types=['Item'])
+        self.layer.app.app.config.execute_actions()
+        obj = createContentInContainer(site, 'TestType', 'foobar')
+        with self.assertRaises(NotAllowedContentType):
+            createContentInContainer(obj, 'TestType', 'foobar')
+        createContentInContainer(obj, 'Item', 'foobar')