Merge pull request #38 from zopefoundation/issue19

Document behaviour of ParanoidSecurityPolicy when there are no participations
zopefoundation · Sep 11, 2017 · 54ee5cd · 54ee5cd
2 parents e0e6f98 + a844ed4
commit 54ee5cd
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 15 deletions.
diff --git a/src/zope/security/simplepolicies.py b/src/zope/security/simplepolicies.py
@@ -24,7 +24,12 @@
 @zope.interface.implementer(IInteraction)
 @zope.interface.provider(ISecurityPolicy)
 class ParanoidSecurityPolicy(object):
-    """Prohibit all access exctp to public items, or by explicit principals"""
+    """
+    Prohibit all access by any non-system principal, unless the item is public.
+
+    This means that if there are no participations (and hence no
+    principals), then access is allowed.
+    """
 
     def __init__(self, *participations):
         self.participations = []
@@ -58,7 +63,9 @@ def checkPermission(self, permission, object):
 
 @zope.interface.provider(ISecurityPolicy)
 class PermissiveSecurityPolicy(ParanoidSecurityPolicy):
-    """Allow all access."""
+    """
+    Allow all access.
+    """
 
     def checkPermission(self, permission, object):
         return True
diff --git a/src/zope/security/tests/test_simplepolicies.py b/src/zope/security/tests/test_simplepolicies.py
@@ -16,6 +16,12 @@
 
 class ConformsToIInteraction(object):
 
+    def _getTargetClass(self):
+        raise NotImplementedError("Subclass responsibility")
+
+    def _makeOne(self, *participations):
+        return self._getTargetClass()(*participations)
+
     def test_class_conforms_to_IInteraction(self):
         from zope.interface.verify import verifyClass
         from zope.security.interfaces import IInteraction
@@ -35,9 +41,6 @@ def _getTargetClass(self):
         from zope.security.simplepolicies import ParanoidSecurityPolicy
         return ParanoidSecurityPolicy
 
-    def _makeOne(self, *participations):
-        return self._getTargetClass()(*participations)
-
     def test_ctor_no_participations(self):
         policy = self._makeOne()
         self.assertEqual(policy.participations, [])
@@ -70,7 +73,7 @@ class Participation(object):
         p1, p2, p3 = Participation(), Participation(), Participation()
         policy = self._makeOne(p1, p2, p3)
         policy.remove(p2)
-        target = object()
+
         self.assertEqual(policy.participations, [p1, p3])
         self.assertTrue(p1.interaction is policy)
         self.assertTrue(p2.interaction is None)
@@ -101,18 +104,20 @@ class Participation(object):
         target = object()
         self.assertFalse(policy.checkPermission(permission, target))
 
+    def test_checkPermission_w_no_participations(self):
+        # The permission and object don't matter: if there are no
+        # participations, access is allowed.
+        policy = self._makeOne()
+        self.assertTrue(policy.checkPermission(None, None))
+        self.assertTrue(policy.checkPermission(self, self))
 
 class PermissiveSecurityPolicyTests(unittest.TestCase,
-                                    ConformsToIInteraction,
-                                   ):
+                                    ConformsToIInteraction):
 
     def _getTargetClass(self):
         from zope.security.simplepolicies import PermissiveSecurityPolicy
         return PermissiveSecurityPolicy
 
-    def _makeOne(self, *participations):
-        return self._getTargetClass()(*participations)
-
     def test_checkPermission_w_public(self):
         policy = self._makeOne()
         permission = object()
@@ -121,7 +126,4 @@ def test_checkPermission_w_public(self):
 
 
 def test_suite():
-    return unittest.TestSuite((
-        unittest.makeSuite(ParanoidSecurityPolicyTests),
-        unittest.makeSuite(PermissiveSecurityPolicyTests),
-    ))
+    return unittest.defaultTestLoader.loadTestsFromName(__name__)