[Zope-Checkins] CVS: Packages/AccessControl/tests - testAcquisition.py:1.1.2.1

Stefan H. Holek stefan at epy.co.at
Fri Jan 21 11:38:38 EST 2005


Update of /cvs-repository/Packages/AccessControl/tests
In directory cvs.zope.org:/tmp/cvs-serv23054

Added Files:
      Tag: Zope-2_7-branch
	testAcquisition.py 
Log Message:
Adding tests that show consequences of
http://mail.zope.org/pipermail/zope-checkins/2004-August/028152.html


=== Added File Packages/AccessControl/tests/testAcquisition.py ===
##############################################################################
#
# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.0 (ZPL).  A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
"""Tests demonstrating consequences of guarded_getattr fix from 2004/08/07

   http://mail.zope.org/pipermail/zope-checkins/2004-August/028152.html
   http://zope.org/Collectors/CMF/259

"""

import unittest

from Testing.makerequest import makerequest

import Zope
Zope.startup()

from OFS.SimpleItem import SimpleItem
from Globals import InitializeClass
from AccessControl import ClassSecurityInfo
from AccessControl.SecurityManagement import newSecurityManager
from AccessControl.SecurityManagement import noSecurityManager
from AccessControl.Permissions import view, view_management_screens
from AccessControl.ImplPython import guarded_getattr
from Products.SiteErrorLog.SiteErrorLog import SiteErrorLog


class AllowedItem(SimpleItem):
    id = 'allowed'
    security = ClassSecurityInfo()
    security.setDefaultAccess('allow')

InitializeClass(AllowedItem)

class DeniedItem(SimpleItem):
    id = 'denied'
    security = ClassSecurityInfo()
    security.setDefaultAccess('deny')

InitializeClass(DeniedItem)

class ProtectedItem(SimpleItem):
    id = 'protected'
    security = ClassSecurityInfo()
    security.declareObjectProtected(view_management_screens)

InitializeClass(ProtectedItem)

class ProtectedSiteErrorLog(SiteErrorLog):
    '''This differs from the base by declaring security
       for the object itself.
    '''
    id = 'error_log2'
    security = ClassSecurityInfo()
    security.declareObjectProtected(view)

InitializeClass(ProtectedSiteErrorLog)


class TestGetAttr(unittest.TestCase):

    def setUp(self):
        get_transaction().begin()
        self.app = makerequest(Zope.app())
        try:
            # Set up a manager user
            self.uf = self.app.acl_users
            self.uf._doAddUser('manager', 'secret', ['Manager'], [])
            self.login('manager')
            # Set up objects in the root that we want to aquire
            self.app.manage_addFolder('plain_folder')
            self.app._setObject('error_log2', ProtectedSiteErrorLog())
            # Set up a subfolder and the objects we want to acquire from
            self.app.manage_addFolder('subfolder')
            self.folder = self.app.subfolder
            self.folder._setObject('allowed', AllowedItem())
            self.folder._setObject('denied', DeniedItem())
            self.folder._setObject('protected', ProtectedItem())
        except:
            self.tearDown()
            raise

    def tearDown(self):
        noSecurityManager()
        get_transaction().abort()
        self.app._p_jar.close()

    def login(self, name):
        user = self.uf.getUserById(name)
        user = user.__of__(self.uf)
        newSecurityManager(None, user)

    # Acquire plain folder

    def testFolderAllowed(self):
        o = guarded_getattr(self.folder.allowed, 'plain_folder')
        self.assertEqual(o, self.app.plain_folder)

    def testFolderDenied(self):
        o = guarded_getattr(self.folder.denied, 'plain_folder')
        self.assertEqual(o, self.app.plain_folder)

    def testFolderProtected(self):
        o = guarded_getattr(self.folder.protected, 'plain_folder')
        self.assertEqual(o, self.app.plain_folder)

    # Acquire user folder

    def testAclUsersAllowed(self):
        o = guarded_getattr(self.folder.allowed, 'acl_users')
        self.assertEqual(o, self.app.acl_users)

    def testAclUsersDenied(self):
        # XXX: Fails in 2.7.3
        o = guarded_getattr(self.folder.denied, 'acl_users')
        self.assertEqual(o, self.app.acl_users)

    def testAclUsersProtected(self):
        # XXX: Fails in 2.7.3 for Anonymous
        o = guarded_getattr(self.folder.protected, 'acl_users')
        self.assertEqual(o, self.app.acl_users)

    # Acquire browser id manager

    def testBrowserIdManagerAllowed(self):
        o = guarded_getattr(self.folder.allowed, 'browser_id_manager')
        self.assertEqual(o, self.app.browser_id_manager)

    def testBrowserIdManagerDenied(self):
        o = guarded_getattr(self.folder.denied, 'browser_id_manager')
        self.assertEqual(o, self.app.browser_id_manager)

    def testBrowserIdManagerProtected(self):
        o = guarded_getattr(self.folder.protected, 'browser_id_manager')
        self.assertEqual(o, self.app.browser_id_manager)

    # Acquire error log

    def testErrorLogAllowed(self):
        o = guarded_getattr(self.folder.allowed, 'error_log')
        self.assertEqual(o, self.app.error_log)

    def testErrorLogDenied(self):
        # XXX: Fails in 2.7.3
        o = guarded_getattr(self.folder.denied, 'error_log')
        self.assertEqual(o, self.app.error_log)

    def testErrorLogProtected(self):
        # XXX: Fails in 2.7.3 for Anonymous
        o = guarded_getattr(self.folder.protected, 'error_log')
        self.assertEqual(o, self.app.error_log)

    # Now watch this: error log with object security declaration works fine!

    def testProtectedErrorLogAllowed(self):
        o = guarded_getattr(self.folder.allowed, 'error_log2')
        self.assertEqual(o, self.app.error_log2)

    def testProtectedErrorLogDenied(self):
        o = guarded_getattr(self.folder.denied, 'error_log2')
        self.assertEqual(o, self.app.error_log2)

    def testProtectedErrorLogProtected(self):
        o = guarded_getattr(self.folder.protected, 'error_log2')
        self.assertEqual(o, self.app.error_log2)

    # This appears to mean that any potential acquiree must make sure
    # to declareObjectProtected(SomePermission).

    # From the ZDG:
    # We've seen how to make  assertions on methods - but in the case of
    # someObject we are not trying to access any particular method, but
    # rather the object itself (to pass it to some_method). Because the
    # security machinery will try to validate access to someObject, we
    # need a way to let the security machinery know how to handle access
    # to the object itself in addition to protecting its methods.

    # IOW, acquiring an object in restricted Python now amounts to
    # "passing it to some_method".


class TestGetAttrAnonymous(TestGetAttr):

    # Run all tests again as Anonymous User

    def setUp(self):
        TestGetAttr.setUp(self)
        # Log out
        noSecurityManager()


def test_suite():
    suite = unittest.TestSuite()
    suite.addTest(unittest.makeSuite(TestGetAttr))
    suite.addTest(unittest.makeSuite(TestGetAttrAnonymous))
    return suite

if __name__ == '__main__':
    unittest.main(defaultTest='test_suite')




More information about the Zope-Checkins mailing list