[Zope-Checkins] CVS: Zope/lib/python/OFS/tests - testTraverse.py:1.3.6.2

Shane Hathaway shane@zope.com
Tue, 14 Jan 2003 09:55:45 -0500 

Update of /cvs-repository/Zope/lib/python/OFS/tests
In directory cvs.zope.org:/tmp/cvs-serv15475/tests

Modified Files:
      Tag: Zope-2_6-branch
	testTraverse.py 
Log Message:
When restrictedTraverse() was changed to use guarded_getattr(), it grew a
new bug.  Denied access to acquired attributes resulted in an AttributeError.
On some sites that can mean that the user never gets prompted for credentials.
This is the conservative fix.  The more thorough fix will go in Zope 2.7.


=== Zope/lib/python/OFS/tests/testTraverse.py 1.3.6.1 => 1.3.6.2 ===
--- Zope/lib/python/OFS/tests/testTraverse.py:1.3.6.1	Thu Sep 12 17:22:40 2002
+++ Zope/lib/python/OFS/tests/testTraverse.py	Tue Jan 14 09:55:42 2003
@@ -16,18 +16,20 @@
 import string, cStringIO, re
 
 import ZODB, Acquisition
+from Acquisition import aq_base
 from OFS.Application import Application
 from OFS.Folder import manage_addFolder
 from OFS.Image import manage_addFile
 from OFS.SimpleItem import SimpleItem
 from Testing.makerequest import makerequest
-from AccessControl import SecurityManager
+from AccessControl import SecurityManager, Unauthorized
 from AccessControl.SecurityManagement import newSecurityManager
 from AccessControl.SecurityManagement import noSecurityManager
 
 from mimetools import Message
 from multifile import MultiFile
 
+
 class UnitTestSecurityPolicy:
     """
         Stub out the existing security policy for unit testing purposes.
@@ -49,6 +51,22 @@
     def checkPermission( self, permission, object, context) :
         return 1
 
+
+class CruelSecurityPolicy:
+    """Denies everything
+    """
+    #
+    #   Standard SecurityPolicy interface
+    #
+    def validate(self, accessed, container, name, value, *args):
+        if aq_base(accessed) is aq_base(container):
+            raise Unauthorized, name
+        return 0
+
+    def checkPermission( self, permission, object, context) :
+        return 0
+
+
 class UnitTestUser( Acquisition.Implicit ):
     """
         Stubbed out manager for unit testing purposes.
@@ -79,6 +97,7 @@
     s = DemoStorage(quota=(1<<20))
     return ZODB.DB( s ).open()
 
+
 class TestTraverse( unittest.TestCase ):
 
     def setUp( self ):
@@ -162,6 +181,18 @@
         self.failUnlessRaises(KeyError, bb.restrictedTraverse, 'notfound')
         bb.restrictedTraverse('bb_subitem')
 
+    def testAcquiredAttributeDenial(self):
+        # Verify that restrictedTraverse raises the right kind of exception
+        # on denial of access to an acquired attribute.  If it raises
+        # AttributeError instead of Unauthorized, the user may never
+        # be prompted for HTTP credentials.
+        noSecurityManager()
+        SecurityManager.setSecurityPolicy(CruelSecurityPolicy())
+        newSecurityManager( None, UnitTestUser().__of__( self.root ) )
+        self.root.stuff = 'stuff here'
+        self.failUnlessRaises(Unauthorized,
+                              self.root.folder1.restrictedTraverse, 'stuff')
+
 
 def test_suite():
     suite = unittest.TestSuite()
@@ -169,7 +200,7 @@
     return suite
 
 def main():
-    unittest.TextTestRunner().run(test_suite())
+    unittest.main(defaultTest='test_suite')
 
 if __name__ == '__main__':
     main()