Skip to content

Commit

Permalink
- added more security tests
Browse files Browse the repository at this point in the history 
- fixed __ac_permissions__ created by the browser:view directive
  • Loading branch information
Unknown committed Jul 11, 2012
1 parent fbc0a65 commit 4ac217a
Show file tree
Hide file tree
Showing 4 changed files with 96 additions and 1 deletion.
1 change: 1 addition & 0 deletions src/Products/Five/browser/metaconfigure.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ def publishTraverse(self, request, name,
)

if class_ is not None:
cdict.update(getSecurityInfo(class_))
bases = (class_, simple)
else:
bases = (simple,)
Expand Down
26 changes: 25 additions & 1 deletion src/Products/Five/browser/tests/pages.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,11 @@
"""Test browser pages
"""

from AccessControl.class_init import InitializeClass
from AccessControl.SecurityInfo import ClassSecurityInfo
from OFS.SimpleItem import SimpleItem
from Products.Five import BrowserView
from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
from OFS.SimpleItem import SimpleItem


class SimpleView(BrowserView):
Expand Down Expand Up @@ -96,3 +98,25 @@ def __init__(self, context, request):
def method(self):
"""Docstring"""
return


class ProtectedView(object):

security = ClassSecurityInfo()

security.declarePublic('public_method')
def public_method(self):
"""Docstring"""
return u'PUBLIC'

security.declareProtected('View', 'protected_method')
def protected_method(self):
"""Docstring"""
return u'PROTECTED'

security.declarePrivate('private_method')
def private_method(self):
"""Docstring"""
return u'PRIVATE'

InitializeClass(ProtectedView)
46 changes: 46 additions & 0 deletions src/Products/Five/browser/tests/pages.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,52 @@ Test traversal to resources from within ZPT pages:
<html><body><img alt=""
src="http://nohost/test_folder_1_/testoid/++resource++pattern.png" /></body></html>

Security settings of the base class are combined with new settings based on the
view permission:

>>> from AccessControl import ACCESS_PUBLIC
>>> view = self.folder.unrestrictedTraverse('testoid/protected_class_page')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('', '__call__')))
>>> aq_acquire(view, '__call____roles__')
('Manager',)
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True

>>> view = self.folder.unrestrictedTraverse('testoid/protected_template_class_page')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('', '__call__')))
>>> aq_acquire(view, '__call____roles__')
('Manager',)
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True

>>> view = self.folder.unrestrictedTraverse('testoid/protected_class_view')
>>> view.__parent__ == self.folder.testoid
True
>>> view.__ac_permissions__
(('View', ('protected_method',)), ('View management screens', ('',)))
>>> getattr(view, '__call____roles__', False)
False
>>> aq_acquire(view, 'public_method__roles__') is ACCESS_PUBLIC
True
>>> aq_acquire(view, 'protected_method__roles__')
['Manager', 'test_role_1_', 'Manager', 'Anonymous']
>>> aq_acquire(view, 'private_method__roles__') is ACCESS_PRIVATE
True


Clean up
--------
Expand Down
24 changes: 24 additions & 0 deletions src/Products/Five/browser/tests/pages.zcml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,4 +250,28 @@
permission="zope2.Public"
/>

<!-- views with protected methods -->

<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
name="protected_class_page"
permission="zope2.ViewManagementScreens"
/>

<browser:page
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
template="falcon.pt"
name="protected_template_class_page"
permission="zope2.ViewManagementScreens"
/>

<browser:view
for="Products.Five.tests.testing.simplecontent.ISimpleContent"
class=".pages.ProtectedView"
name="protected_class_view"
permission="zope2.ViewManagementScreens"
/>

</configure>

0 comments on commit 4ac217a

Please sign in to comment.